1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Question about letsencrypt certs

    From Y Peng@21:1/5 to All on Wed Jun 11 11:10:01 2025
    Hello,

    We have a Debian server that can connect to the internet in the test environment. We installed a free Let's Encrypt SSL certificate while
    connected to the internet. However, after deploying this server to the production environment, it is subject to strict network isolation and
    cannot access the internet. Will the Let's Encrypt certificate remain
    valid for a long time if it cannot access the internet?

    Thanks

    --
    https://ypeng.info/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From tomas@tuxteam.de@21:1/5 to Y Peng on Wed Jun 11 11:30:02 2025
    On Wed, Jun 11, 2025 at 05:01:33PM +0800, Y Peng wrote:
    Hello,

    We have a Debian server that can connect to the internet in the test environment. We installed a free Let's Encrypt SSL certificate while connected to the internet. However, after deploying this server to the production environment, it is subject to strict network isolation and cannot access the internet. Will the Let's Encrypt certificate remain valid for a long time if it cannot access the internet?

    The validity time period of a certificate is baked in (i.e. it doesn't
    depend on whether the server is "isolated" or similar.

    In the case of LetsEncrypt, they are valid for 90 days [1]. They are
    designed to be refreshed regularly.

    That said, I don't quite understand what you are trying to do. Why
    does your "server" need a (publicly endorsed) certificate if it is not "connected" to the internet?

    My take is: either it needs the certificate, then it can be reached
    from the outside via https, then it is "connected" -- or it is not
    "connected", then it doesn't need a TLS certificate in the first place.

    So I must be missing something.

    Cheers
    --
    t

    -----BEGIN PGP SIGNATURE-----

    iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCaElMOwAKCRAFyCz1etHa Rj4yAJ4z7P9O2XwwLb3X9o6Fv/IubSiw/QCfQiQ685WyO/rwo/foGvvKTted6Mk=
    =IlTX
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Y Peng on Wed Jun 11 16:50:01 2025
    Hi,

    On Wed, Jun 11, 2025 at 05:01:33PM +0800, Y Peng wrote:
    after deploying this server to the production environment, it is
    subject to strict network isolation and cannot access the internet.
    Will the Let's Encrypt certificate remain valid for a long time if it
    cannot access the internet?

    Others have explained how Let's Encrypt certificates are valid for 90
    days regardless of where they are used.

    You are probably used to the most simple Let's Encrypt operation mode,
    which is called HTTP-01. In this mode your client software (e.g.
    certbot) makes a renewal request and then the Let's Encrypt servers
    do an HTTP connection back to the host listed in the certificate in
    order to check you have control over the name. This is obviously
    problematic when the hostname in the certificate is partly or wholly disconnected from the Internet.

    DNS-01 is a different challenge mode. Instead of connecting back by
    HTTP, Let's Encrypt will do a DNS query to look for some specific record
    that proves you own the name. This is more complicated to set up but
    much more flexible, since your client can run from anywhere and all you
    need to publish is a record in DNS. If everything checks out then your
    client ends up with the new certificate files, so then your final task
    is to get those files where they need to be.

    DNS-01 requires you to have the ability to modify your DNS, either by
    standard nsupdate protocol (for when you run your own DNS) or using many different APIs of different DNS providers. You can use certbot as a
    client but I prefer something simpler like acme.sh.

    iDNS-01 really shines in situations where you have many servers, lots of certificates, certificates that need to be distributed to multiple
    servers, servers that can't have the HTTP-01 challenges come back to
    them, etc. and you already have some form of config management or
    continuous delivery system.

    See https://letsencrypt.org/docs/challenge-types/ for more info, but
    remember that there are many clients other than Let's Encrypt';s own
    certbot.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alain D D Williams@21:1/5 to Andy Smith on Wed Jun 11 17:50:01 2025
    On Wed, Jun 11, 2025 at 02:46:26PM +0000, Andy Smith wrote:

    On Wed, Jun 11, 2025 at 05:01:33PM +0800, Y Peng wrote:
    after deploying this server to the production environment, it is
    subject to strict network isolation and cannot access the internet.
    Will the Let's Encrypt certificate remain valid for a long time if it cannot access the internet?

    I do this. Ie I have web servers that are only used internally - be that just on one machine or over a private VPN. I do this by playing games with DNS, by using VIEWs. A view is a way of serving up different answers (ie different IP addresses) depending on where the DNS query comes from.

    So: internally the reply gives the VPN address, eg:

    mint-vpn.phcomp.co.uk has address 10.200.201.8

    Let's Encrypt cannot access the web server with that IP address.

    The same query done outside gives a different answer:

    mint-vpn.phcomp.co.uk has address 78.32.209.33

    The web server listening on 78.32.209.33 is configured to reply to Let's Encrypt and so get updated certificates. The updated certificates can then be copied to where-ever is needed internally.

    Yes it means exposing mint-vpn.phcomp.co.uk externally, but that web server knows to reject requests from external hosts. In the Apache config after allowing access to /.well-known/acme-challenge/:

    # If the request is not from VPN or local machine, rewrite to an apology page
    RewriteCond expr "! -R '127.0.0.0/8'"
    RewriteCond expr "! -R '::1'"
    RewriteCond expr "! -R '10.200.201.0/8'"
    RewriteRule "^(.*)$" "/index-external.html" [L]


    I use bind for DNS, VIEWs might be a bind only feature I do not know.

    https://kb.isc.org/docs/aa-00851

    --
    Alain Williams
    Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
    +44 (0) 787 668 0256 https://www.phcomp.co.uk/
    Parliament Hill Computers. Registration Information: https://www.phcomp.co.uk/Contact.html
    #include <std_disclaimer.h>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)