I do not have external access. I see that most of the agents need external access to lets encrypt for verification. Is there any way around this?
I ran this command: ./acme.sh --issue -d x.xxx.org
It produced this output: Can not init api
My web server is (include version): Apache
The operating system my web server runs on is (include version): RHEL
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): No
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
_az
July 11, 2018, 2:50am
2
No, it’s not possible. If you can’t talk to the CA, then you have no way to ask them for a certificate…
You will need to issue the certificate from a machine that has access to the internet.
You may then copy that certificate behind-the-firewall as you wish.
Thanks for the quick reply, In that case what is procedure for auto renewal.
Thank you
_az
July 11, 2018, 3:29am
4
Realistically your only option is to have a DMZ’d host that:
Communicates with Let’s Encrypt
Performs domain validation by automatically updating your domains’ TXT records at each renewal event
Delivers the issued certificate to the internal host over the network (using a script)
If any of that sounds undoable, a 2 year certificate from a commercial CA might be a better option.
1 Like
schoen
July 11, 2018, 4:35pm
6
Or if the client that will accept the certificate is under your control too, you don’t necessarily need a publicly-trusted certificate and could use a self-signed certificate or a private certificate authority, and then configure the client to accept this certificate or CA. You’ll only need publicly-trusted certificates if software that you don’t control (for a public web site, the web browsers used by the general public!) needs to accept the certificates.
system
August 10, 2018, 4:35pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.