On Thu Oct 13, 2022 at 17:12 +0200, Kevin Kofler via devel wrote: > > And using Let's Encrypt for private mirrors is sufficiently painful that I > > wouldn't recommend it. > > Set up a subdomain like vpn.example.com, point it to the public IP, then > configure the VPN's internal DNS to resolve vpn.example.com to the VPN- > internal address instead, the /etc/hosts on the VPN server itself to resolve > it to 127.0.0.1, and the mirror server on port 443 (whereas port 80 is > reserved for certbot's builtin temporary (and world-readable) webserver with > the http-01 challenge) to accept connections only from the VPN and from > localhost and to use the Let's Encrypt certificate. Been there, done that > (not for a repository mirror though, my employer is small enough for that > not to be worthwhile). I assume that this approach should also work for a > physical LAN in lieu of the VPN.
Let's Encrypt also supports the dns-01 challenge[1] that doesn't require any publicly available IPs. Using dns verification is required to obtain a Let's Encrypt wildcard certificate. [1]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge -- Maxwell G (@gotmax23) Pronouns: He/Him/His
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
