Nextcloud Let's Encrypt script should not require opening ports to the internet, should auto renew with other method #2739
Comments
|
You could definitely utilize one of the letsencrypt methods that allows you to give access to DNS, as I have done that on a few of my HAproxy instances that cannot allow access directly in the typical fashion. However, this also requires giving access to the DNS provider (Cloudflare in my case) via API/perms, which would not really be something the script could do without prompting the user for input. I assume the script is meant to be able to run with as little private information as possible being 'required', and as such that is likely why it utilizes the methods that require opening ports. in your case, I would suggest configuring access to the DNS method as described above, and allowing it to automatically update via cron, without having to open the server itself to the internet. This would resolve your concerns. I do not suspect that the script author is likely to do this, however, as like I said it would require the user inputting 'private information' during the setup process. I suppose it wouldn't be that big of a deal as it could just prompt the user, have them paste it, then write it to a config file and change the cron entry that updates certificates... hmm... maybe. I might be able to write a pull request for this. |
|
I use the DNS TXT method, but it requires manually executing the script every 90 days and manually updating the DNS TXT record in the registrar. It's a hassle. It will be more tedious when the CA/B forum reduces cert lifetime to 47 days. Cert renewal needs to be fully automated. |
Is your feature request related to a problem? Please describe.
I'm always frustrated when my certificate expires with Let's Encrypt, because it requires opening ports 80 and 443 to the internet. I do not want to open a private server to the internet for LE enrollment. Let's Encrypt script does work with DNS TXT validation, but it is not automated.
Describe the solution you'd like
Support Let's Encrypt without opening a private server to the Internet for LE validation and cert enrollment and renewal. Stop exposing more private applications to the dangerous Internet. I manually have to update DNS txt records every 90 days and run the script to update the cert.
Describe alternatives you've considered
Manual update of DNS text records, and manual update of the the LE script
Additional context
Security should be a focus by reducing exposure to the internet
The text was updated successfully, but these errors were encountered: