Join Log in
Score:0
archygriswald avatar Server

LetsEncrypt/Certbot Domain Verification with Redirect

cn flag
archygriswald

Is it possible to 301 redirect from abc.com to a different domain xyz.com during cert creation/validation with certbot and complete the domain verification via xyz domain?
This question was asked in letsencrypt forum already, and the answer was yes:

that's possible - and that's a good solution with centralized systems

In my case the domains are on different servers having different IPs!!
And I really do not see how this should work. Reading the letsencrypt manual it says:

Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/.

So the acme client on abc.com puts the token into abc.com/.well-known/... Then the checking letsencypt bot is redirected to xyz.com. But the acme client on xyz.com has no idea about this process and cannot put the correct token into xyz.com/.well-known/...

Is such a scenario possible? If yes, please tell me how. If no, how can the redirect feature be used anyway?

76
1 + 0
Score:1
avatar Server
ws flag
symcbean

(this should probably be a comment, but its a bit long for the wee box).

I don't know if it is possible. If it is possible today AND NOT DOCUMENTED then it might not be possible tomorrow. IMHO if this works, then it's potentially a defect.

When I previously had to solve the issue of provisioning with certbot across a cluster, I chose a different path.

Since you need to designate a specific node to run the initial provisioning and refreshes from (unless you happen to have some cluster cron in place) I chose to proxy that location on the designated machine on the other nodes.

An additional complication was that I was replicating the config from this master node. I was using nginx, but the approach can be applied with Apache httpd and probably other webservers.

I had 2 files in /etc/nginx/snippets describing how to handle /.well-known/. One was a proxy config, one was an origin config. These were replicated across all nodes. There was also a symbolic link at /etc/nginx/snippets/certbot.conf This link pointed to a file outside the replication tree. That file was also a symbolic link pointing back to one of the two initial files. On the master node, it pointed to the origin server, elsewhere to the proxy definition.

In my /etc/nginx/sites-enabled/*.conf files I simply included /etc/nginx/snippets/certbot.conf

+ 1
archygriswald avatar
cn flag
archygriswald
That's kinda what I expected to hear. Thank you for sharing your approach.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.