Re: Question about letsencrypt certs
On Wed, Jun 11, 2025 at 02:46:26PM +0000, Andy Smith wrote:
> On Wed, Jun 11, 2025 at 05:01:33PM +0800, Y Peng wrote:
> > after deploying this server to the production environment, it is
> > subject to strict network isolation and cannot access the internet.
> > Will the Let's Encrypt certificate remain valid for a long time if it
> > cannot access the internet?
I do this. Ie I have web servers that are only used internally - be that just
on one machine or over a private VPN. I do this by playing games with DNS, by
using VIEWs. A view is a way of serving up different answers (ie different IP
addresses) depending on where the DNS query comes from.
So: internally the reply gives the VPN address, eg:
mint-vpn.phcomp.co.uk has address 10.200.201.8
Let's Encrypt cannot access the web server with that IP address.
The same query done outside gives a different answer:
mint-vpn.phcomp.co.uk has address 78.32.209.33
The web server listening on 78.32.209.33 is configured to reply to Let's
Encrypt and so get updated certificates. The updated certificates can then be
copied to where-ever is needed internally.
Yes it means exposing mint-vpn.phcomp.co.uk externally, but that web server
knows to reject requests from external hosts. In the Apache config after
allowing access to /.well-known/acme-challenge/:
# If the request is not from VPN or local machine, rewrite to an apology page
RewriteCond expr "! -R '127.0.0.0/8'"
RewriteCond expr "! -R '::1'"
RewriteCond expr "! -R '10.200.201.0/8'"
RewriteRule "^(.*)$" "/index-external.html" [L]
I use bind for DNS, VIEWs might be a bind only feature I do not know.
https://kb.isc.org/docs/aa-00851
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>
Reply to: