New cert for server on intranet


#1

I’d like to be able to create an SSL cert for a server that is not yet set up to be accessible externally. Our security policy requires me to have the system setup and scanned and audited as it would be deployed before it can be made accessible. I’m kind of in a chicken and egg scenario. Trying to work with our security team but is there a way I can generate and install a LetsEncrypt certificate (maybe a provisional one) with from an isolated LAN such that it can be audited without external access?

My domain is: tracker.corgi.sri.com

I ran this command: sudo letsencrypt certonly --webroot -w /var/www/html/ -d tracker.corgi.sri.com

It produced this output:

Failed authorization procedure. tracker.corgi.sri.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to tracker.corgi.sri.com

My operating system is (include version): Ubuntu 16.04.4

My web server is (include version): nginx 1.10.0 (Ubuntu)

My hosting provider, if applicable, is: VMWare VSphere

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Is the hostname of the system in question already accessible? I.e., can you add public records (TXT records) to the hostname?

In that case you might want to look at the DNS verification.


#3

Yes… the DNS is available… I don’t have access to TXT, but I can potentially request additions to be made.


#4

It will be hard for you to keep certificates current in this configuration. In order to issue a certificate, a CA needs to check that you really control the names that the certificate refers to. Let’s Encrypt offers a way to do this using DNS record changes, which works even for non-publicly-accessible servers (as long as they have names within publicly-resolvable domain names, which sri.com certainly is). However, you’ll probably have to get the new DNS record posted quickly during the certificate request process, and the process will have to be repeated every time the certificate expires (for Let’s Encrypt, every 90 days). If it’s a manual update, the other people involved might not appreciate having to do it so quickly and having to repeat the process 4 or more times per year.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.