vm icon indicating copy to clipboard operation
vm copied to clipboard
verified publisher icon nextcloud

Nextcloud Let's Encrypt script should not require opening ports to the internet, should auto renew with other method

Open packet1 opened this issue 8 months ago • 4 comments

Is your feature request related to a problem? Please describe. I'm always frustrated when my certificate expires with Let's Encrypt, because it requires opening ports 80 and 443 to the internet. I do not want to open a private server to the internet for LE enrollment. Let's Encrypt script does work with DNS TXT validation, but it is not automated.

Describe the solution you'd like Support Let's Encrypt without opening a private server to the Internet for LE validation and cert enrollment and renewal. Stop exposing more private applications to the dangerous Internet. I manually have to update DNS txt records every 90 days and run the script to update the cert.

Describe alternatives you've considered Manual update of DNS text records, and manual update of the the LE script

Additional context Security should be a focus by reducing exposure to the internet

packet1 avatar Apr 21 '25 14:04 packet1

You could definitely utilize one of the letsencrypt methods that allows you to give access to DNS, as I have done that on a few of my HAproxy instances that cannot allow access directly in the typical fashion. However, this also requires giving access to the DNS provider (Cloudflare in my case) via API/perms, which would not really be something the script could do without prompting the user for input.

I assume the script is meant to be able to run with as little private information as possible being 'required', and as such that is likely why it utilizes the methods that require opening ports.

in your case, I would suggest configuring access to the DNS method as described above, and allowing it to automatically update via cron, without having to open the server itself to the internet. This would resolve your concerns.

I do not suspect that the script author is likely to do this, however, as like I said it would require the user inputting 'private information' during the setup process. I suppose it wouldn't be that big of a deal as it could just prompt the user, have them paste it, then write it to a config file and change the cron entry that updates certificates...

hmm... maybe.

I might be able to write a pull request for this.

crowetic avatar May 06 '25 22:05 crowetic

I use the DNS TXT method, but it requires manually executing the script every 90 days and manually updating the DNS TXT record in the registrar. It's a hassle. It will be more tedious when the CA/B forum reduces cert lifetime to 47 days. Cert renewal needs to be fully automated.

packet1 avatar May 07 '25 14:05 packet1

You can utilize the API method... depending on your DNS provider it's pretty simple. I use cloudflare most of the time for my DNS, and there's a plugin for letsencrypt that allows you to authenticate with their DNS and have it handle the entries for you automatically, that way you can automate the cert renewal.

But... this does require that the instance have OUTBOUND internet connectivity, in order to reach the API...

crowetic avatar Jul 17 '25 23:07 crowetic

Hi, late to the party.

We have the fully automated deSEC option. It' handles TLS renewals automatically via DNS - no ports needs to be open.

enoch85 avatar Oct 26 '25 19:10 enoch85