Obtaining a cert for an appliance


I want to put a lets encrypt cert on an appliance. Specifically a BigIP VS that performs SSL offload for me.

Now, I COULD put a VS in place and LB all the traffic to an internal host and run certbot --standalone on there… But that means taking it offline, changing the config, changing it back etc.

Is there any way to get a cert from letsencrypt WITHOUT the chick & egg problem (i.e. I have an appliance. It has a self-signed cert on it, it’d work if it were a lets encrypt cert, but it won’t until I have one. And I can’t get one until it does work)


You could use the DNS verification method. Newer certbot releases support that, and some other clients like acme.sh and Dehydrated include support for various DNS provider APIs for a fully seamless issuance and renewal process.


You can run dehydrated, a lightweight Let’s Encrypt client, directly on a BigIP if you don’t want to set up a virtual server for certbot:

Let’s Encrypt does not care whether your certificate is valid or not for the purposes of domain validation. Your self-signed certificate can remain until you replace it with one from Let’s Encrypt.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.