Menu
▾
▴
Re: [Astlinux-users] ACME (Let's Encrypt) Certificates
|
From: Lonnie A. <li...@lo...> - 2018-06-15 12:57:35
|
Hi Michael, Yes, ACME (Let's Encrypt) Certificates is the solution. You need a DNS provider supported by acme-cleint (acme.sh) that is able to prove DNS record ownership. There are two ways to go here: 1) Create an account with a supported DNS service using the services's domain, such as https://www.duckdns.org/ , this is no cost for up to 5 DNS records but they must be of the form <unique>.duckdns.org though a lot of the common ones have been taken. Your username and assigned token is used to validate ownership of your DNS record. Donate something and you will receive 10 DNS records. DuckDNS is only one such example. 2) Register your own domain (yearly cost) then create an account with a supported DNS service using your domain, Cloudflare's free account supports this. This is what I personally do. After you have a domain registered you need to set it's nameservers to point to Cloudflare's as instructed. > I currently have a domain that I use to access all my systems (ibcaccess.net). Can I use this? For security reasons, I would use a separate domain and account for my ACME (Let's Encrypt) Certificates, that way if your DNS API credentials got loose your core DNS infrastructure on a different account won't get compromised. > Would the customer need to access the Astlinux GUI using this domain? Yes, if you generated an ACME (Let's Encrypt) Certificate for host pbx4.example.org the user's DNS must resolve pbx4.example.org to the service in question. Though if all the users are behind AstLinux you can define pbx4.example.org in { Configure DNS Hosts } -> "DNS Forwarder Hosts:" to the local server. In general there does not need to be a public A record for pbx4.example.org if all the users are local. To be clear, the example.org DNS (domain for pbx4) must be publicly available for acme-cleint (acme.sh) to issue a valid certificate. Hope that helps. Lonnie > On Jun 15, 2018, at 1:23 AM, Michael Knill <mic...@ip...> wrote: > > Ok after reading the doco page and Lets Encrypt and ACME Protocol pages, I realise that I don't really know what I am doing 😊 > > The Problem: > I am now providing more regular access to the Astlinux Admin interface to customers and the certificate error is not a good look. You can store the Self Signed Certificate with Firefox but Chrome does not let you now. > > The Solution: > ACME (Let's Encrypt) Certificates with DNS. > Problem is that I don't know what I need and how to do it. > I currently have a domain that I use to access all my systems (ibcaccess.net). Can I use this? > Would the customer need to access the Astlinux GUI using this domain? Would I need to use a subdomain for the internal address? > > Im just confused sorry. I am obviously too much of a noob regarding this stuff. > > Regards > Michael Knill > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
