I need some help understanding DNS-01 challenge and SSL certificates for behind the firewall/internal servers.
I have googled quite a bit. From what I have understood. In order to be able to issue certificates for internal servers I need.
- A publicly registered domain. E.G. mydomain.net on Route53 or some other DNS provider with ACME support for example.
- One publicly exposed ACME client. Certbot, ACME.sh, etc. Which uses DNS-01 challenge.
- A way to distribute the certs from exposed ACME client to the internal hosts so the can be used by Nginx, Apache2, Traefik, etc.
My question is. What is the simplest and best way to get the certificates distributed to the hosts for use?
Also I can’t help but think that an ACME client that could act as a proxy would be the best solution.
E.g.
- ACME client on host xxx contacts the ACME proxy (publicly known and reachable) and says I need a certificate for xxx.mydomain.net.
- ACME proxy does DNS-01 challenge with LetsEncrypt, gets the certificate and returns it ACME client on host xxx.
So basically the proxy pretends to be LetsEncrypt where Traefik for example can be configured to point to the proxy and think it is talking to LetsEncrypt.
Does something like this exist?
- Getting certs from LetsEncrypt would remove the need to distribute root/intermediate certs to machines on the intranet.
- Having a proxy would reduce security issues.
- Having proxy like this would also be much simpler implementation wise for internal web servers. No need to manage a rsync setup or some such. Same pattern for all internal web servers across all development teams.
