NAT'd development servers


#1

I’ve got lots of servers running behind a router/firewall, each of them NAT’d.
I have 5 WAN IP’s and they are used to segregate various services into distinct subnets.
One IP is used for internal staff services and development.
On that IP, WAN port 443 is used by everyone to access email (Zimbra).
The development servers all use the same IP address and some other WAN port.
Each of these WAN ports is forwarded and translated to [LANserverip]:443.
I am trying to user certbot-auto, but from what I can tell, there is some issue about the ACME server having to “conform” and only use port 443 - which hits the email server vs. one of the development boxes…
My first attempt is on the main dev box running LAMP on Ubuntu 14.04.5 LTS where the port forward/translation looks like:
0.0.0.0:42443 -> 192.168.100.2:443
Is there any way to use Let’s Encrypt in this environment?
TIA,
Larry


#2

There are a couple of possible options, but whether they’d work depends on your environment:

  • Use the dns-01 challenge. You verify ownership by creating a TXT record with a token. If you want to automate this, you’ll need some sort of API from your DNS provider allowing you to update records on the fly. Some ACME clients (like lego) have integrated support for various DNS providers, so maybe you’ll find something there. certbot recently gained dns-01 support too, but I’m not quite sure what the state of automation is there.
  • If you’re not using port 80, http-01 validation is also an option. certbot supports this via the webroot and standalone plugins (the latter with --standalone-supported-challenges http-01).
  • If you’re willing to add a separate load balancer in front of your Zimbra instance, you might be able to use something like this to route validation requests based on the SNI hostname.

#3

I’ve created a short node.js script that I can call at the command line to set the token value in a TXT record for my domain at GoDaddy. It very simply replaces all TXT records with the new one. That should allow me to use the dns-01 challenge.
What I can’t figure out is how to get the token back from certbot-auto so I can script the entire process and place it in cron…
I’d think there would be a preliminary command to get the dns-01 token, then set the TXT record and then request the cert.
Is there a sample anywhere on automating a dns-01 challenge in such a manner?
Thanks,
Larry


#4

Hi @Development,

Something like this was very recently included in Certbot using the script plugin, which lets you run a script to perform the challenges, and provides environment variables with the challenge details. script is merged on Certbot master so you will have it available if you’re using certbot-auto and letting it update, but not yet if you’re using a Certbot package from an operating system package manager or from pip, as it’s not part of a release yet. But I think it will be able to do what you want once you have it.

Previously Certbot did not really support using your own scripts to perform validation challenges, so it didn’t have a convenient way to make this information available (as opposed to running scripts before and after obtaining the certificate, which has been available for a while).


#5

I’ve got the latest certbot-auto. It shows:

certbot-auto --version

letsencrypt 0.9.3

However, when I run:
certbot-auto plugins

I get these 3 plugins, but no script plugin:

  • apache
    Description: Apache Web Server plugin - Beta
    Interfaces: IAuthenticator, IInstaller, IPlugin
    Entry point: apache = certbot_apache.configurator:ApacheConfigurator
  • webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
  • standalone
    Description: Spin up a temporary webserver
    Interfaces: IAuthenticator, IPlugin
    Entry point: standalone = certbot.plugins.standalone:Authenticator

How can I get certbot-auto to grab all the updates I see on github?
(and some examples of how to use the script plugin would be great!)
Thanks.


#6

In another thread @pde just suggested waiting for 0.10.0 because the script plugin API could change.


Sorry for suggesting something cool that’s not quite ready! But the 0.10.0 release should happen soon.


#7

Will do!
I’m going to use certbot to set up NAT’d LAMP servers and then run 3rd party security suites against them.
(you can’t get anything worthwhile when you use a self-signed cert…)
Thanks!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.