On 4/23/2022 6:45 PM, Richard Hector wrote:
_A_ web server has to be there. It doesn't have to serve anything else useful. My mail server has a web server that only serves the LE challenge. Well, actually it's a proxy server that serves several other domains too, but there's nothing else served on that domain (at the moment).
I didn't want to mess with creating a web infrastructure for the usual web-based validation that is common with LE. Getting that working for my services would be very messy. So I use DNS validation with LetsEncrypt, and I have wildcards in my cert. You can see the cert at this location:
https://http3test.elyograg.org/
Reload the page to see if your browser can do http/3 -- the initial connection will usually be http/2.
Certbot has plugins for many common DNS providers that let it automatically add the validation records to your DNS. I use a DNS provider which is not covered by the official plugins, but I found a third party hook script on github, so I have built scripts that accomplish completely automated certificate renewals with DNS validation. I run the renew script with cron every other day, and have it waiting until 5 days before expiration before it actually does the renewal. So I get a new cert about every 85 days, and it even installs the cert and restarts services on everything that needs it.
Thanks, Shawn