Webroot authentication for non-publicly available host?


#1

I’m in a situation where certificates are being used on a machine that is not publicly available. Everything on this machine, including the Apache config and SSL cert, is deployed via RPM packages which are built on a different machine.

This presents a problem because in order to use letsencrypt and the webroot authenticator, I have to temporarily change the DNS entry to a publicly available machine and run letsencrypt there, then change it back, then copy the cert into the right place for deployment.

The fact that the IP address used for webroot authentication is not the one that is ultimately used during deployment makes it difficult to automate renewal, and in any case breaks DNS during that window.

It would be nice if you could tell the webroot authenticator “use this other DNS name for verification”. For example, to authenticate “www.example.com” letsencrypt would instead perform the webroot check on “_letsencrypt_verification.www.example.com”. I’m sure the security team will barf all over that idea though.

What do you recommend in my situation?

Thanks


#2

Use DNS authentication. Not supported by the official client (yet), but many of the 3rd party clients do support it.


#3

Certainly all the Bash alternative clients support the DNS challenge, and I believe the Go one’s also.


#4

The DNS verification, as suggested, is an obvious solution. However, since you’ve mentioned whether it is possible to use HTTP/webroot verification against effectively different machine, I could tell you that it should be indeed possible.

If you have a split DNS (resolving names differently for your internal network and for the outside world), no one would be stopping you from setting that not publicly available machine to be a CNAME to the webroot-to-be machine from the outside point of view. That would be one-time change non-breaking your DNS and with the ability to quickly re-point the “webroot” to another public machine if needed.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.