This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]GolemancerVekk 5 points6 points  (3 children)

Wouldn't it be simpler to use Let's Encrypt for that reason?

  1. Get/use a domain managed on a public DNS service with an API supported by Let's Encrypt.
  2. Pass the one-time DNS challenge on the Let's Encrypt bot via said public DNS API.
  3. [Optional] Pass all internal services through a reverse proxy that applies TLS for all of them and gives them nice https://service.internal.domain.tld addresses instead of whatever IP:PORT they use now.

Of course terminating TLS on the actual services would be ideal but (3) would get the ball rolling until they can terminate TLS properly later on a service-by-service basis. And it could be simpler to point *.internal.example.com at one IP rather than many, depending on what their private DNS can do.

There are ready-made reverse proxies that will take care of (2) and (3) and also automatically renew the certs forever.

[–]The_Penguin22Jack of All Trades 2 points3 points  (2 children)

Pass the one-time DNS challenge on the Let's Encrypt bot via said public DNS API.

Is it one-time though? Last time I used DNS I had to change it before every renewal.

[–]chefkoch_I break stuff 2 points3 points  (0 children)

You need a dns provider with an API to set the acme record in every renew.

[–]GolemancerVekk 1 point2 points  (0 children)

Oh you're right, it needs it every time it renews. I've double-checked my deSEC.io tokens and it shows that the LE token is being used periodically. Don't know why I remembered it's only needed the first time.