Sometimes it is easier to have current and public CA signed TLS certificates for internal servers than to setup and maintain an internal CA and register it on all affected browsers (including mobile phones).
One of my reasons to investigate this is that Chrome refuses to save credentials on servers that have no verifiable TLS certificate, see my post Some links on Chrome not prompting to save passwords (when Firefox and Safari do) about a week ago.
Below are some links for my link archive that hopefully will allow me to do this with Let’s Encrypt (msot via [Wayback] letsencrypt for internal servers – Google Search):
- [Wayback] tls – Let’s Encrypt for intranet websites? – Information Security Stack Exchange: very interesting answers with quite different points of view. Great way to quickly get onto speed on this topic.
- [Wayback] Let’s Encrypt Server Certificate via DNS Challenge – DEV Community
- [Wayback/Archive.is] acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
- Support ACME v1 and ACME v2
- Support ACME v2 wildcard certs
- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
- Bash, dash and sh compatible.
- Purely written in Shell with no dependencies on python or the official Let’s Encrypt client.
- Just one script to issue, renew and install your certificates automatically.
- DOES NOT require
root/sudoeraccess. - Docker friendly
- IPv6 support
- Cron job notifications for renewal or error etc.
- [Wayback] Using Let’s Encrypt for internal servers – Philipp’s Tech Blog (in the mean time: to some 90-thousand!)
- [Wayback] Using Let’s Encrypt with internal web servers (without DNS challenge) | Andy Gock
TL;DR
- Use internet facing domain on an internal network, I normally use subdomains for this.
- Domain must have a DNS A record pointing to a public facing web server so Let’s Encrypt can find it for the [Wayback] HTTP-01 challenge. This can be served as an empty site or just as a 404 response.
- Remote VPS uses [Wayback] certbot to renew SSL certificates as normal.
- Use a script like [Wayback] renew-letsencrypt-certificates.sh to copy the SSL certs from the remote machine to our local private machine. Run this as a cron job.
- [Wayback/Archive.is] renew-letsencrypt-certificates.sh
# renew-letsencrypt-certificates.sh DOMAIN [EMAIL] # # Copy Let's Encrypt SSL certs from a remote public facing web server to local filesystem # Look for changes, if any change, restarts the web service # Useful for using Let's Encrypt with local internal servers, with custom DNS. # Working "mail" command needed for email alerts
- [Wayback/Archive.is] Corollarium/localtls: DNS server for providing TLS to webservices on local addresses: insecure as everyone on the local LAN can download public and private keys
- [Wayback/Archive.is] Here’s another free CA as an alternative to Let’s Encrypt!
one of them being to manage certificates for all of my internal devices. My certificate management is nothing fancy, I just have a few bash scripts running via cron that obtain new certificates and deploy them locally on the server or SCP them to where they need to be on my network devices like my UniFi Dream Machine Pro or my UniFi Protect NVR. I’ve now added a random selection for which CA will be used so from now on, Let’s Encrypt won’t be my exclusive CA!#!/bin/bash set -e SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom") /home/scott/acme.sh/acme.sh --issue --dns dns_cf -d homeassistant.scotthelme.co.uk --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}")If you’re using Certificate Authority Authorisation then don’t forget to set thessl.comvalue to let them issue certificates for your domain, but other than that, it’s easy!
Since I need this for ESXi:
- [Wayback/Archive.is] Let’s Encrypt SSL for ESXi
- [Wayback/Archive.is] Lets Encrypt and ESXi : homelab showing ESXi stores certificate information in
/etc/vmware/ssl/rui.{key,crt}using private key and fullchain respectively. - [Wayback] ESXi certificate using Let’s Encrypt – Server – Let’s Encrypt Community Support: consensus is to obtain the domain from outside ESXi, then transfer it using SSH/SCP.
- [Wayback] Wildcard certificate from Let’s Encrypt with CloudFlare DNS using the
dns-01challenge; this should also work with other DNS providers having an DNS API like GoDaddy or others from List of managed DNS providers – Wikipedia. - [Archive.is] WayBack: LetsEncrypt Certificates for vCenter and PSC – Niner – AussieVoIP Wiki
- [Wayback] [ESX 6.7] Certificaat Web Client – Professional Networking & Servers – GoT on the
9r.com.ausubdomains of which the services seem to have vanished.
- [Wayback] [ESX 6.7] Certificaat Web Client – Professional Networking & Servers – GoT on the
- [Wayback] Let’s Encrypt ESXi VPS – Comprofix: seems outdated
–jeroen