Hi,
I have three servers requiring SSL certs under one router: Synology NAS, Windows Server and a Raspberry Pi. AFAIK Let’s Encrypt only works on port 80 and 443, does that mean I am can only assign one of the three servers to Let’s Encrypt’s auto renewal?
Hi @NepgearGo,
Did you want to access all three servers under the same domain name?
Do you mind using the same certificate across all three devices rather than obtaining a separate certificate on each one?
Hello, I don’t think it’s possible? The three servers all have different purposes.
Sorry, I didn’t understand which question of mine you were answering there.
hi @NepgearGo
What are you using the certificates for ??
Are you securing web interfaces or some other interfaces?
Does each server have it’s own FQDN (fully qualified domain name)?
Andrei
Hello,
They are web interfaces. I have already secured my NAS’s management interface with SSL, but would
like to secure my Pi’s web interfaces as well. They have their own domain names and I can visit the unsecured web pages using custom ports from outside the LAN.
Hi @NepgearGo
The easiest way to achieve this is to use the DNS challenges (if you can)
You can run certbot on each of your servers or try a load balancer that directs all ACME requests to one server only
Andrei
To expand on this, you can’t directly get certificates for the individual devices using custom ports without some additional configuration.
The easiest approach if you have an API-based method to update the DNS zone for your domain is the DNS-01 challenge that @ahaw021 mentions. Then each device can run a client that can make the requested DNS changes that the certificate authority asks for, and then get its own certificate that way.
If not, there is a more complex approach where the certificate authority is willing to follow HTTP redirects (including to a different port number) from an initial connection on port 80, when using the HTTP-01 challenge method. (This challenge method is implemented in Certbot by --webroot, and optionally by --standalone when you don’t have or don’t want to use an existing web server to receive the challenge connections.)
So if you have one of the machines that receives web connections on port 80 of your shared IP address, if this machine can be configured to look at the host name in the HTTP request and then generate a 301 redirect with the appropriate host name and port number, the certificate authority will follow those redirects and then connect on the other port, allowing it to complete the validation.
For example, support that you have foo.example.com:8080, bar.example.com:9090, and baz.example.com:8585, and that they all have the same public IP address. Suppose that port 80 on that IP address is forwarded to foo.example.com:8080. Then if you can make the HTTP listener on foo.example.com look at the hostname and redirect requests for bar.example.com to bar.example.com:9090, and for baz.example.com to baz.example.com:9090 — preserving the URL path! — then each device would be able to pass the HTTP-01 challenge on its desired port number and get its own certificate by running its own Let’s Encrypt client application.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.