Home / server / Questions / 829443
Accepted
Calimo
Asked: 2017-01-31 06:38:23 +0800 CST

How can I get a Let's Encrypt certificate for a non-public facing server?

  • 772

I have a private Apache server, reachable only from my LAN on port 443, with a StartSSL certificate.

Since Firefox 51 was released, I cannot connect to it any longer as the StartSSL root certificate was removed from the trust store.

I considered migrating to Let's Encrypt, but that appears to require a public-facing HTTP server. Is it possible to use Let's Encrypt in my situation?

I would rather avoid paying for an SSL certificate, if at all possible.

ssl-certificate lets-encrypt

3 Answers

  1. Best Answer

    If you control DNS for the domain then you can use the dns-01 challenge method to prove ownership by creating a TXT-record.

    This can be done manually or automated. I think even the official certbot client now supports dns-01.

    A quick Google shows me a bunch of tutorials using various scripts and clients so I won't repeat all of them here. This one specifically automates intranet certificates.

    • 11

  2. The certbot client has capability to do a manual DNS challenge. The (currently second most popular) answer found in this question How to use Let's Encrypt DNS challenge validation? has all the details, and I just tested it as working.

    Basically, you run this command and follow the directions:

    certbot -d site.your.dom.ain --manual --preferred-challenges dns certonly
    • 6

  3. You mentioned that you are using Apache, however if you are not bound to it there is a very easy path possible using Caddyserver.

    There you only have to define a Caddyfile with the following content:

    example.com
tls {
    dns cloudflare
}

    Mention the DNS provider you are using in the config and configure the API keys you are via environment variables. Draw from the list of supported providers from the docs.

    That's all there is required. The output on the first start will be something like:

    Activating privacy features... 2019/10/21 13:36:48 [INFO][cache:0xc0001c8190] Started certificate maintenance routine
[INFO][cache:0xc000092730] Started certificate maintenance routine
2019/10/21 13:24:49 [INFO][example.com] Obtain certificate
2019/10/21 13:24:49 [INFO] [example.com] acme: Obtaining bundled SAN certificate
2019/10/21 13:24:50 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/876706285
2019/10/21 13:24:50 [INFO] [example.com] acme: Could not find solver for: tls-alpn-01
2019/10/21 13:24:50 [INFO] [example.com] acme: Could not find solver for: http-01
2019/10/21 13:24:50 [INFO] [example.com] acme: use dns-01 solver
2019/10/21 13:24:50 [INFO] [example.com] acme: Preparing to solve DNS-01
2019/10/21 13:24:50 [INFO] cloudflare: new record for example.com, ID XXX
2019/10/21 13:24:50 [INFO] [example.com] acme: Trying to solve DNS-01
2019/10/21 13:24:50 [INFO] [example.com] acme: Checking DNS record propagation using [127.0.0.11:53]
2019/10/21 13:24:50 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2019/10/21 13:24:50 [INFO] [example.com] acme: Waiting for DNS record propagation.
2019/10/21 13:24:52 [INFO] [example.com] acme: Waiting for DNS record propagation.
2019/10/21 13:24:55 [INFO] [example.com] The server validated our request
2019/10/21 13:24:55 [INFO] [example.com] acme: Cleaning DNS-01 challenge
2019/10/21 13:24:55 [INFO] [example.com] acme: Validations succeeded; requesting certificates
2019/10/21 13:24:56 [INFO] [example.com] Server responded with a certificate.
done.

Serving HTTPS on port 443
https://example.com

2019/10/21 13:36:48 [INFO] Serving https://example.com

Serving HTTP on port 80
http://example.com

2019/10/21 13:36:48 [INFO] Serving http://example.com
    • 0