I am trying to setup multiple machines with ssl certificates, and I want them to auto renew. This means, as far as I can tell, that they both need to have port 80 forwarded to them, which is not possible. How can I accomplish this?
If you want to use HTTP-01 challenges, yes, you’ll need to forward 80. Typically, this is accomplished by forwarding it to one, and having a reverse proxy set up on the web server of that machine to route requests for the other machine. For example, let’s say I have two servers behind a router - Red and Blue. Let’s say I want to put
red.com on Red, and
blue.com on Blue. I could forward port 80 on my router to Red, and configure its webserver to proxy requests for
blue.com to Blue. Often, people will actually place a third server in front whose only job is to proxy all requests.
Alternatively, you could just have Red complete challenges for both domains, and then distribute the certificate and key (securely) to Blue.
Alternatively, the DNS-01 challenge type avoids any sort of connection directly to the servers, and might be a better option, depending on your setup.
Appreciate the quick response. Unfortunately, while I keep hearing that the DNS-01 challenge is the way to go, I cannot find any information on how to actually set this up for auto-renewal, although I can find plenty on how to set it up manually each time. Any links on how to set up DNS-01 for automatic renewal?
And there are many other ACME clients that also have DNS plugins too.