[talk] SSL certificates

Craig MacGregor cmacgreg at gmail.com
Tue Sep 12 14:27:18 EDT 2017


On Tue, Sep 12, 2017 at 11:39 AM, Pete Wright <pete at nomadlogic.org> wrote:
>
> one issue i've had with let's encrypt is trying to use it on private
> subdomains on AWS.  iirc the system needs to have a public DNS entry as
> well as access from the internet to work - i might be mistaken tho on
> this...


I've been cheating for a few months now in order to generate
internal/private Let's Encrypt certs. We have a tiny AWS instance, which we
use to keep URLs alive for some disused domains, and also point the
wildcard for our entire intranet subdomain there (on public DNS anyway). I
run an nginx config like this, which allows only the /.well-known directory
to be accessible, and other connections drop hard:

server {
  listen 80;

  server_name *.intranet.example.com;

  location / {
    # drop the connection hard (except for /.well_known)
    return 444;
  }

  # public_html for .well-known (letsencrypt)
  location /.well-known {
    alias /var/www/redirect/public_html/.well-known;
  }

}

We use certbot to handle new certs and renewals (but I think acme.sh should
work, too), and copy the cert dir to our puppet server, which deploys fresh
certificates to the appropriate hosts; renewals always work, because we
don't have to mess with public DNS at all. Of course, all of this only
works if you also run your own private DNS.

Let's Encrypt has some limits that can get annoying for this specific use
case; you can register effectively unlimited domains, but are limited to 20
subdomains per domain per week. To make it even more complicated, there is
no limit for renewals, but renewals also count against those 20 subdomains
per week, so if you happen to have a few hundred internal subdomains, you
will still run into these limits 90 days down the line, when the certs
renew (I just had this issue and was able to resolve via their rate
adjustment form and community forum; very responsive and helpful for a
free/donation-based service).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20170912/f2b102d8/attachment.html>


More information about the talk mailing list