LetsEncrypt for Behind Firewall / On Intranet

I need some help understanding DNS-01 challenge and SSL certificates for behind the firewall/internal servers.

I have googled quite a bit. From what I have understood. In order to be able to issue certificates for internal servers I need.

  • A publicly registered domain. E.G. mydomain.net on Route53 or some other DNS provider with ACME support for example.
  • One publicly exposed ACME client. Certbot, ACME.sh, etc. Which uses DNS-01 challenge.
  • A way to distribute the certs from exposed ACME client to the internal hosts so the can be used by Nginx, Apache2, Traefik, etc.

My question is. What is the simplest and best way to get the certificates distributed to the hosts for use?

Also I can’t help but think that an ACME client that could act as a proxy would be the best solution.
E.g.

  • ACME client on host xxx contacts the ACME proxy (publicly known and reachable) and says I need a certificate for xxx.mydomain.net.
  • ACME proxy does DNS-01 challenge with LetsEncrypt, gets the certificate and returns it ACME client on host xxx.

So basically the proxy pretends to be LetsEncrypt where Traefik for example can be configured to point to the proxy and think it is talking to LetsEncrypt.

Does something like this exist?

  • Getting certs from LetsEncrypt would remove the need to distribute root/intermediate certs to machines on the intranet.
  • Having a proxy would reduce security issues.
  • Having proxy like this would also be much simpler implementation wise for internal web servers. No need to manage a rsync setup or some such. Same pattern for all internal web servers across all development teams.
1 Like

It really depends on how much access outside of the internal network is allowed to those internal devices (or in to them).
The simplest solution would be to RSYNC the folder with the certs from the outside system to an inside system (RSYNC can sync from either direction).
If the networks are really really separated, then you could maybe allow the internal systems to retrieve the cert information via some proxied method (like DNS) so there is no direct contact from the inside systems to any outside systems (only through the proxy).
But again all solutions start with the answer to the question: How much access does the Internal network have to any other network or visa versa?

1 Like

You can’t MITM such a secured connection.
It would have to be some newly developed delegated authority (which would not scale well at all - outside any single organization).

1 Like

@rg305

Ah, yes. Hadn’t quite thought that one through. I have been looking at smallsteps internal CA with ACME support. I think I will continue down that road for now.

Thank you very much for the replies :smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.