Managing Let's Encrypt Certificates in Restrictive Network Environments

[celsoannes]

I have a question about Let's Encrypt certificates. I've configured a public IP on my Teleport, and currently, it's set up and running smoothly. Now, I want to restrict access to port 443 only to known IPs, blocking all other accesses from the internet. However, I'm not sure how Let's Encrypt is functioning at the moment. I know their certificate lasts for a few weeks and then renews automatically.

My question is, if I implement this block on port 443, will Let's Encrypt continue to function by automatically updating the certificate? Can I manually control Let's Encrypt to force certificate renewal when I bring down the firewall, or are there specific IPs from Let's Encrypt that I can add as trusted in the list?

[stevenGravy]

Let's encrypt does not publish their IPs AFAIK. I would consider leveraging the DNS challenge renewal path. The certs there can last 3 months. You would need to set the certs within the proxy service.

[celsoannes]

Thank you very much, @stevenGravy. I wasn't aware of this possibility. From what I've read, it will only renew the certificate I already have every 90 days, which is great. I'm going to implement it on other servers where I've been struggling with moving the certificate files around.

I'll see how I can change it on the servers I already have (non-teleport servers). I still don't know how I'm going to do this on teleport because, but I'll research it. I'll come back here later to share how I did it or to ask for help on how to do it.

Thank you.

[celsoannes]

I managed to set it up using DNS. I followed the Digital Ocean tutorial to guide me on what to do, then I just followed what was in the teleport [documentation](I managed to set it up using DNS. I followed the Digital Ocean tutorial to guide me on what to do, then I just followed what was in the teleport documentation).

sudo teleport configure -o file \
    --cluster-name=tele.example.com \
    --public-addr=tele.example.com:443 \
    --cert-file=/var/lib/teleport/fullchain.pem \
    --key-file=/var/lib/teleport/privkey.pem

Now, I'll wait for the expiration date to see if it worked.