If you’re playing with Let’s encrypt in an internal environment such as a lab, chances are you’re failing to generate your certs since the Let’s encrypt agent performs a domain validation process where it spins up a python web server and hosts a http resource that the CA can fetch.
Here’s what I did in my lab environment which was not publicly accessable in order to obtain certs for valid domains I did have running on external servers.
You must be able to create a resource on the public web server that you plan to do this on.
Let’s grab the agent:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Let’s run it in standalone mode and provide your email + domain in the details. You’ll also need to run this as super user.
cd /opt/lets/encrypt ./letsencrypt-auto certonly --standalone
It will likely fail saying it failed to validate the domain, I received something along the lines of:
Detail: Failed to connect to x.x.x.x for TLS-SNI-01
Instead we want to run the command with a manual switch:
./letsencrypt-auto certonly --manual
Using the manual switch you’ll be instructed to make a file resource available on your public web server and the CA will validate that proving domain ownership.
comments powered by Disqus