Scripting the renewal of certs without public access to the Internet


#1

Here is my situation:
I generated certs for three intranet servers. None of these servers allow access to port 80 or 443 from the public Internet. We needed certs so internal applications can talk to internal services securely (and not throw errors). I used the DNS TXT method to generate the initial certificate. But now I have a problem since auto renew doesn’t work. Below is the command I used to initially create the certs:

certbot-auto -d HOST.TLD -d SUB.HOST.TLD -d SUB2.HOST.TLD certonly --manual --preferred-challenges dns-01

Does anyone have suggestions on how to automate the renewal? At this point, the only option that I see is to write a script that manually runs the above command, scraps the TXT record string, then updates my Route 53 records with the string, and then continue the verification process. I just wanted to see if there is a better way.

Note: Giving these boxes temporary public access on ports 80 & 443 won’t work (they are in a private subnet and the routing rules don’t allow public access) or changing the public DNS to point to a proxy instead of a private IP would break the way the system is currently working, and re-engineering that is out of scope.

Thanks!


#2

Hi,

Since you mentioned the DNS servers are AWS ROUTE53… Certbot has an ROUTE53 package available (but probably not come with the certbot installation)… You would need to install the certbot-route53 and configure it so you could use DNS-01 with ROUTE53 (plugin) without the need to write another script.

The following tutorial might be useful.

Thank you


#3

What OS are you using? How did you install Certbot? It may be very easy to install the Route 53 plugin, e.g. with “sudo apt install python3-certbot-dns-route53”.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#4

Here is the information requested. I don’t think I’m running into an error/bug so much, but just looking for a way to solve a problem that is inherent in the way I created my certificate.

Q: What OS are you using?
A: Ubuntu 14.04

Q: How did you install Certbot?
A: Manually (wget https://dl.eff.org/certbot-auto)

Note: 14.04 doesn’t have python3-certbot-dns-route53 in the repo. I installed it via pip, as the Medium article @stevenzhu recommended, however, certbot-auto doesn’t see it.

My domain is:
build2.vivintsolar.com

I ran this command to generate my cert:
certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d build2.vivintsolar.com certonly --manual --preferred-challenges dns-01

I ran this command to renew my cert:
sudo certbot-auto renew

It produced this output:


Processing /etc/letsencrypt/renewal/build2.vivintsolar.com.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (build2.vivintsolar.com) from /etc/letsencrypt/renewal/build2.vivintsolar.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/build2.vivintsolar.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/build2.vivintsolar.com/fullchain.pem (failure)


My web server is (include version):
nginx/1.4.6

The operating system my web server runs on is (include version):
Ubuntu 14.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A


#5

You won’t be able to automatically renew a cert that was issued using --manual method.
And how do you expect it automatically handle the --preferred-challenges dns-01 ?
[I’m assuming you had to create some TXT record(s) in your DNS zone.]

There are API plugins that can be used to automate the DNS record portion and they work with a lot of the DNS service providers.
But you will have to redo the issuance to include a completely automatable set of parameters before you can just “renew” it.


#6

I’d suggest installing Certbot using the PPA instead of trying to get certbot-auto to find a separately installed plugin.

https://launchpad.net/~certbot/+archive/ubuntu/certbot

That tutorial is Nginx-focused, but instead of “sudo apt-get install python-certbot-nginx” you can run “sudo apt-get install python3-certbot-dns-route53 python3-certbot-nginx”.