SSL for internal server with local DNS


#1

I have a bit of a issue what I want to solve. We have an VM on our internal server where Ubuntu 14.04 is installed. We use that VM to run Gitlab for our projects and therefore we want to restrict access by making that server only internally accessable. Our VM can connect to the internet, but is not accessable for services like LetsEncrypt (or users that aren’t connected to our network).

That server has an internal IP and we can access Gitlab via local DNS which resolves git.domain.com to that IP. I wanna create a SSL for that subdomain, so we can access that via https. We own domain.com, but the records of that domain points to an external (other) webserver.

We could use the DNS-01 verification, but that would mean that we need to change the DNS record every 90 days to manually renew the certificate. The other validation methods require that our server is connected to the web. Can I create a DNS record for our server that points to a reachable server and somehow use that to validate our internal server? Or a better way to use https for our Gitlab?

My web server is (include version):
Gitlab uses nginx

The operating system my web server runs on is (include version):
Ubuntu 14.04 LTS 64-bit

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes


#2

All that matters is that the outside world can see the _acme-challenge.git.domain.com DNS TXT record.


#3

But that requires manual renewal right? I’m looking for a way that doesn’t require manual renewal if that’s possible…


#4

Not if your DNS host has a supported API to allow automated record updates. Or you use acme-dns to host the validation records locally.


#5

All setups with Let’s Encrypt require re-authorization (be it an HTTP file or a DNS record). You won’t find any way to dodge that.


#6

If you would prefer this to using DNS authentication you absolutely can, though it’s a bit more work to set up.

getssl is a Let’s Encrypt client designed for use cases like these:

You can use any client you want though.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.