Letsencrypt renewals for separate server

Issuance Tech
1

I’m currently hosting my website in my home servers, and using a small external server as a reverse proxy (nginx). The HTTPS with a legit cert is done at this level.

Is there any way to automatically generate just the certificate files on a dedicated certificate machine (I already set up an ubuntu 16 and did it 100% manually for the first time, cert is up and running), and from that machine push and replace the expiring certificates on the reverse proxy? I could probably come up with a script that uses ssh/scp to transfer/replace the cert/key files but I can’t figure out the letsencrypt application. It forces me to verify with files on a web server but the documentation mentions DNS validation?

I do not want any traces of letsencrypt on the reverse proxy. Nothing runs on there except nginx, firewall and ssh. I wouldn’t mind doing it manually as I have been doing for years, but with the 90 day expiration the automation process needs to actually work properly for situations where the website isn’t just on one host…

2

There are a couple of options:

  • Redirect all validation requests (i.e. ones that match /.well-known/acme-challenge/*) to a dedicated validation server using a HTTP 301 redirect. Certbot could run on that server in standalone mode and handle all the validation, renewal, pushing certificates, etc.
  • Use DNS-based validation with DNS-01. No support for this in certbot currently, but other clients like lego would work.
3

The bash script getssl was designed to do exactly this.

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.