On 17 Jun 2020, at 07:05, Tom Browder <tom.browder@xxxxxxxxx> wrote: > > Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any way to allow port 80 access but only from an LE server? In addition to the other replies, you can use the DNS-01 method for establishing and rewriting a cert. That doesn't involved your Webserver at all (the methodology for doing this depends on your named server so is out of spec for this group). <https://letsencrypt.org/docs/challenge-types/> Most of the automation scripts for LE pretty much walk your through setting this up. One other reason you might want to consider doing this is that DNS-01 allows for a wildcard certificate for the domain so instead of listing www.example.com and smtp.example.com and 47 others, you can just list *.example.com example.com and have a set for all possibilities. In addition, DNS-01 gives you a lot more flexibility in what servers handle the renewals, allowing you to easily have a non-web servers run the renewal tasks and get the certs then distribute them to you web, mail, and other servers. This makes your certificate chain more secure because your public facing machine (www) is not the one that is configured to do renewal. Which means that getting into your authentication chain is much much harder. Not making a suggestion, as this is harder to setup, but it is something to think about. HTH -- Train Station: where the train stops. Work Station: … --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|