Server/proxy for certbot hosts a LAN

The scenario is a network of hosts all with their own needs for certificates. It might be that there are SMTP and IMAP servers are on their own hosts, separate from WWW server(s), separate from DNS server(s), etc. Not an obscure situation to be sure. Any small (or bigger) office network at least and perhaps even some number of "home" networks.

It seems silly for each one of those hosts, that has their own needs for certificates to run certbot and have to be able to manipulate an HTTP service, or expose one to the Internet, or be able to manipulate DNS records, etc.

It seems to make much more sense to have one single host in charge of requesting certificates, which alone has the ability to provide the secret that the LE server wants to be able to verify (either by HTTP, DNS, etc.,) to confirm that the requesting server has authorization for the name being requested.

This can be done through various hackish ways, such as having that single server use SSH or NFS, or SMB, etc. to distribute the certificates.

It would be much more streamlined if certbot could run on any/all of those hosts that wanted certificates, but be configured to ask it's local network certbot server (or proxy if you want to call it that) to do the handshake and request with the LE certificate service and then pass it the certificate data back when it's been supplied by the LE certificate service.

2 Likes

Yep, this is a great idea! I have been saying for a long time there should be some sort of ACME proxy service to address use cases like these.

It's not something Let's Encrypt or EFF is likely to write - it's likely to require a more detailed expertise in specific deployment scenarios than we have. But if you'd like to write one, or know someone who would, that'd be great.

2 Likes

If only I could retire and work on projects like this. :roll_eyes:

When the day comes, I will absolutely not be a bored retiree. Hacking until I die I suspect.

4 Likes

Yep, I feel that! Hacking til I die indeed.

3 Likes

I'm developing this for Certify The Web (as a new spin off product probably called Certify Server). It runs on linux or windows (and mac OS), presents a web admin UI and provides an API for integrations. Latest certs can be acquired by authorised services using curl or any other http request method, or they can be pushed by the server. The main requirement is that you use DNS validation (and there is a new Certify DNS service to help, which is a cloud based service compatible with acme-dns). We may offer http challenge proxying, but maybe not (depends on demand).

It's still some way off however, likely a few months before beta.

I think you may be able to find other tools that also provide this sort of service already to some extent:

4 Likes

Nice! Thanks for the pointers. Some of those do look like they fit the bill, although they are YAT (yet another tool). I was thinking more along the lines of certbot itself being made client/server/proxy so that no new tools need to be deployed/learned/managed/etc.

1 Like

That's exactly what my project, Peter SSLers does. It runs a LetsEncrypt client and answers challenges, and exposes an API to allow other nodes in a network to create orders, setup challenges, and procure the certificate. It is aimed at complex cloud/colo based systems though, not a home environment.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.