Possible to get https certificate for a webserver behind firewall via vpn?


I intend to serve the group via https internally within the institution.

my web server (linux with root control) has a public ip bound to a full/proper hostname with the instituion’s external facing dns server(no control), hence the webserver is behind firewall and the ip (or full hostname url) is only accessible via ssh tunnle or the instition’s vpn from outside.

is it still possible (with the help of one time vpn connection maybe) to obtain a https certificate using let’encrpt. I am happy to do that manually for the start and for the renew.

if not possible, is there any other vendor/method that can be used to archive this?

Many thanks,


Yes, it is still possible. However, you would need to do so by using the DNS authentication method instead of HTTP. To authenticate with DNS, a specific TXT record must be placed on the domain. Do you have the ability to control DNS records for your domain’s zone?


Hi @barrytao

if you have SSH access, you have “Shell Access”. So check

With Shell Access


But as @jared.m says, the DNS method would be much easier, or perhaps the only option. In this case you probably need an API from the DNS provider.

(Edit: the tools on the page @JuergenAuer linked to are still the ones that you would use to issue the certificate, though.)


Thanks. which domain do i need to put the TXT record onto? e.g., http://hostname.example.com (internal access only or externally access via ssh tunnel or vpn), hostname is webserver with root ssh access, behind the domain example.com, do you mean I need to put a TXT onto hostname.example.com, which is oksay? but how could letsencrypt validate it from externally?


If you’re issuing a cert for hostname.example.com, the TXT record needs to be for _acme-challenge.hostname.example.com, and that DNS record needs to be visible from the public Internet. hostname.example.com itself doesn’t have to be visible, but the DNS TXT record does.


This sounds that you can’t create own DNS txt records.

Such entries


with a special value are required to use dns-01 - validation.

Do you have access to your nameserver?


thanks for the clarification which is very helpful. so this means that the domain controller (admin to the external dns serving name resolving for hostname.example.com) needs to be involved to add a challenge dns record for a further subdomain - xxxx.hostname.example.com

I also wonder if either two of the following alternatively methods is feasible?

  1. the firewall/router admin can temporally add in the outfacing router/firewall a exception rule (port forward that ip of hostname.example.com), for the duration of initial let’sencrypt certificate setup/validation (and renew). i.e., once the certificate is issued, this exception rule can be removed and it will not need to be validated externally until its expiry date.

  2. login a mechanism in let’sencrypt server/portal to hand over vpn account of example.com to trust letsencrpt to use it one time for the purpose of external domain validation (via the limited choices of http port 80 or 443, or 22) of the hostname.example.com in order to issue a certificate.
    Regards with merry xmas in advanced.


no, unfortunately. but may be able to ask


#1 If you can get the router/firewall admin who control the IP resolved from hostname.example.com to allow inbound port 80 access to a system you control, then this will definitely work.
All you need then is an ACME client that runs on your O/S.

#2 If I understand you correctly (I do have doubts). This will not be possible. At best, this would require a whole lot of programming/testing/validation for a situation that would most likely never be used again.

I don’t exactly understand what you mean by

It is a VPN account that has access to what exactly?
How would that VPN access validate control over a system that should be given a cert?