1.6 KiB
| title | date | draft | blog/tags | ||
|---|---|---|---|---|---|
| Infrastructure for ACME (LetsEncrypt) certificates in a private LAN | 2024-04-10 | false |
|
LetsEncrypt --- the non-profit certification authority that certifies a vast portion of the web --- doesn't really needs introduction anymore. They provide free SSL certificates, and even better, they do so using their standardized automated protocol, ACME (RFC 8555).
When a client requests a certificate through ACME for a domain, it will be
handed a token --- a random string --- by the server. This token (the
challenge) must be temporarily served by the client to prove that it indeed
controls the domain. This automated validation uses either http-01 or
dns-01 challenges. The former requires the client to serve the token via http
at a certain URL. The latter requires the client to register a TXT DNS entry
under the domain bearing the token. The http-01 process is clearly easier to
implement, and makes ACME straightforward in many cases.
Assume, however, that the machine trying to obtain a certificate is in a
private LAN --- it has no public IP address, or should remain completely
firewalled from the Internet, including the ACME server. In this case, the
http-01 challenge cannot be used, and dns-01 must be used instead. Many
articles online give instructions on how to make Certbot or other ACME clients
update DNS records. However, I am really not comfortable with giving all of my
applicative servers write-access to my DNS zones.