No external access on premise servers hosted in our network


#1

I do not have external access. I see that most of the agents need external access to lets encrypt for verification. Is there any way around this?

I ran this command: ./acme.sh --issue -d x.xxx.org

It produced this output: Can not init api
apachectl not found, Need root access

My web server is (include version): Apache

The operating system my web server runs on is (include version): RHEL

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

No, it’s not possible. If you can’t talk to the CA, then you have no way to ask them for a certificate…

You will need to issue the certificate from a machine that has access to the internet.

You may then copy that certificate behind-the-firewall as you wish.


#3

Thanks for the quick reply, In that case what is procedure for auto renewal.

Thank you


#4

Realistically your only option is to have a DMZ’d host that:

  • Communicates with Let’s Encrypt
  • Performs domain validation by automatically updating your domains’ TXT records at each renewal event
  • Delivers the issued certificate to the internal host over the network (using a script)

If any of that sounds undoable, a 2 year certificate from a commercial CA might be a better option.


#6

Or if the client that will accept the certificate is under your control too, you don’t necessarily need a publicly-trusted certificate and could use a self-signed certificate or a private certificate authority, and then configure the client to accept this certificate or CA. You’ll only need publicly-trusted certificates if software that you don’t control (for a public web site, the web browsers used by the general public!) needs to accept the certificates.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.