<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class="">On Sep 12, 2017, at 4:35 PM, Pete Wright <<a href="mailto:pete@nomadlogic.org" class="">pete@nomadlogic.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class=""><br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 09/12/2017 13:18, Dan Langille
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:39EE0167-D64B-4411-AD87-A83C9D77D9AD@langille.org" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Sep 12, 2017, at 1:10 PM, Mark Saad <<a href="mailto:mark.saad@ymail.com" class="" moz-do-not-send="true">mark.saad@ymail.com</a>> wrote:</div>
</blockquote>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class="">
<div style="font-family:Helvetica Neue, Helvetica, Arial,
sans-serif;font-size:16px;" class="">
<div style="font-family:Helvetica Neue, Helvetica,
Arial, sans-serif;font-size:16px;" class="">one issue
i've had with let's encrypt is trying to use it on
private <br class="">
subdomains on AWS. iirc the system needs to have a
public DNS entry as <br class="">
well as access from the internet to work - i might be
mistaken tho on <br class="">
this...<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div class=""><br class="">
</div>
I have LE certs for RFC 1918 addresses. The DNS server I use to
validate is a public DNS server, but where
<div class="">you user the cert is not relevant.<br class="">
<div class=""><br class="">
</div>
</div>
</blockquote>
<br class="">
ah i hadn't thought of that - basically having a bastion host
wrangle getting new certs, then you deploy the to the appropriate
backend after the CSR is fulfilled? does the the public server
announce the rfc1918 address for a given host, or does it use a
dummy public ip?<br class=""></div></div></blockquote><br class=""></div><div>I use a dns hidden master, a certs jail, a certs website, and two small scripts to copy the certs around. Keys go manually.</div><div><br class=""></div><div>This is an overview. More specific blog posts on each step also exist.</div><div><br class=""></div><div> <a href="https://dan.langille.org/2017/07/04/acme-sh-getting-free-ssl-certificates-installation-configuration-on-freebsd/" class="">https://dan.langille.org/2017/07/04/acme-sh-getting-free-ssl-certificates-installation-configuration-on-freebsd/</a></div><div><br class=""></div><div>I go with multiple jails, and three steps. Overkill for some situations, but you can reduce it all to one jail for LE.</div><div><br class=""></div><div>Pretty diagram here: <a href="https://dan.langille.org/2017/07/15/introducing-anvil-tools-for-distributing-ssl-certificates/" class="">https://dan.langille.org/2017/07/15/introducing-anvil-tools-for-distributing-ssl-certificates/</a></div><div><br class=""></div><div>anvil contains the scripts for cert distribution.</div><div><br class=""></div><div><div class=""><div>-- <br class="">Dan Langille - BSDCan / PGCon<br class=""><a href="mailto:dan@langille.org" class="">dan@langille.org</a><br class=""><br class=""></div></div></div><br class=""></body></html>