Here is my situation:
I generated certs for three intranet servers. None of these servers allow access to port 80 or 443 from the public Internet. We needed certs so internal applications can talk to internal services securely (and not throw errors). I used the DNS TXT method to generate the initial certificate. But now I have a problem since auto renew doesn’t work. Below is the command I used to initially create the certs:
certbot-auto -d HOST.TLD -d SUB.HOST.TLD -d SUB2.HOST.TLD certonly --manual --preferred-challenges dns-01
Does anyone have suggestions on how to automate the renewal? At this point, the only option that I see is to write a script that manually runs the above command, scraps the TXT record string, then updates my Route 53 records with the string, and then continue the verification process. I just wanted to see if there is a better way.
Note: Giving these boxes temporary public access on ports 80 & 443 won’t work (they are in a private subnet and the routing rules don’t allow public access) or changing the public DNS to point to a proxy instead of a private IP would break the way the system is currently working, and re-engineering that is out of scope.