Hello everyone,
I am setting up my linux server (alma linux) to get certs from internal ACME server, I tried all the available resources on internet and the chatgpt but nothing helped.
I tried using certbot, nginx and all that can be found on internet.
Could anyone help me witjh necessary steps for getting this done?
If you want to issue internal certificates for multiple machines then you could run your own internal CA using smallstep step-ca (with ACME enabled) `step-ca` server or Hashicorp Vault Vault | HashiCorp Developer
If you just want a self signed cert for a single machine them mkcert is useful GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.
If you need publicly trusted certificates for internal machines without running an internal CA you can use certbot (or other ACME clients) with Let's Encrypt but you need to use DNS validation with your own domain and public DNS (your services don't have to be public, you just have to be able to create a corresponding _acme-challenge.service.internal.yourdomain.com TXT record corresponding to the service host name you need.
Hey,
I already have a internal CA setup, and I can get the certs manually from the CA, but I want to automate the process and test ACME on my test machine to get certificate from our internal CA, and we do have the internal acme server already working and issuing certs.
But I am not able to get the certs installed on my test machine using acme.
The general process for using ACME is:
directory URL of your ACME service, for example certbot with step-ca: Configure popular ACME clients to use a private CA with the ACME protocolWhich ACME CA software are you running?
Certbot
Sorry no, which ACME server software are you running for your CA? The software that Certbot will talk to.
Guess its boulder
it's very unlikely: it doesn't have any capacity to manually sign any certificate without ACME veridation. what program you are using to run CA?
sorry but that is one of the issues that I don't have a lot of details about the existing acme server
Don't think about acme but manual signing
You only need the directory access point and the rest is described in rfc 8555
dogtag
okk, thanks will check once that as well
maybe you can use this?
I'm honestly confused why you're asking this question here. This forum provides support for the Let's Encrypt CA, which you aren't using. It isn't a general support forum for server configuration.
If you don't manage the internal CA infrastructure (and if you didn't even know which software is being used for it, you clearly don't), you should ask whoever does manage it how to accomplish what you need to do. It's likely only a matter of pointing your ACME client to the correct API endpoint, but we have no way of knowing what that is, nor what if any other configuration options would be needed.
thanks, this helped, the server was having the port restriction and the http challenge was not picking up the proper location, its corrected now.
yes partially true, but the issue got resolved. thanks for the reply anyways
thanks
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.