Okay, so this is the #howto for dealing with this situation, this post is divided in 2 parts:
- Problem: This describe a situation where this approach could come handy.
- Solution: Implementation for solving the problem, I like to explain things in deep so when I came back and re-read myself I can just go straight an solve the problem.
As a way of clarifying things, the following naming conventions will be used:
- Your public IP for this example is 188.8.131.52
proxy.my.domain.comwill be used as the gateway/firewall/proxy server FQDN
internal3.my.domain.comwill be used as the internal servers FQDN
You have a public domain, but you cannot manage the DNS related stuff, instead you’re obliged to ask a third party for any change regarding your domain
You depend on a DNS provider which doesn’t provide an
DNS validation for acme-dns
You only have one public IP
This solutions has the following requirements
Also all this servers must have a common SSH key, you can find a way for accomplishing this here:
That being said, let’s begin:
As stated in the default documentation, you need to open port 80 on
proxy.my.domain.com(Assuming this host is associated to your public IP), to archive this go to [Network Services] -> [ httpd] -> [Edit] and allow the red interface.
It is also necessary to ask your DNS provider to create for you one A record for each of your internal servers FQDN pointing to your public IP. You can check this by doing a DNS lookup over Google DNS like this:
# dig +nocmd +noall +answer proxy.my.domain.com @184.108.40.206 proxy.my.domain.com. 3599 IN A 220.127.116.11 # dig +nocmd +noall +answer internal1.my.domain.com @18.104.22.168 internal1.my.domain.com. 3599 IN A 22.214.171.124 # dig +nocmd +noall +answer internal2.my.domain.com @126.96.36.199 internal2.my.domain.com. 3599 IN A 188.8.131.52 # dig +nocmd +noall +answer internal3.my.domain.com @184.108.40.206 internal3.my.domain.com. 3599 IN A 220.127.116.11
Make sure you can connect through SSH from
proxy.my.domain.comto each internal server as
root. This is needed since the script will need to copy files inside
/etc/letsencrypt/, modify some properties and also use the commands
signal-event certificate-update, all this on each internal server.
Install python3, python3 devel, and python3 virtualenv. This can be done in NS 7.5 with the following command
yum install python36.x86_64 python36-virtualenv python36-devel.x86_64. Please bear in mind that this package names may change.
Create a python virtual environment for the script by issuing
Create the script file with the following commands
mkdir -p /opt/letsencrypt-cert-upd/src/and
Add the following code to the file
Create and edit the following file with this command
nano /etc/e-smith/events/certificate-update/S80push_certs, put this inside
/opt/letsencrypt-cert-upd/env/bin/python3.6 /opt/letsencrypt-cert-upd/src/copy-upd-cert.py. You can use any other file editor such as
Add a the property
pkiobject, this property will contain a comma separated list of the servers that will get a copy of the certificate. In order to do this use the following command
config setprop pki TransferToServers 'interna1l.my.domain.com,internal2.my.domain.com,internal3.my.domain.com'
On the web UI go to [ Server certificate] -> [ Request a new Let’s Encrypt certificate] -> [ REQUEST LET’S ENCRYPT CERTIFICATE]
That’s it, you can check if everything went smoothly by going to
/etc/letsencrypt/ and checking if all servers has the *.pem certificate files. Also on the web UI of each server, in [ Server certificate] you can see the certificate being used as default.