I really don't like the idea to open (an unsecured) port 80 on a server.
In order to receive a certificate from Let's Encrypt, you must demonstrate control over the host for which you're seeking the certificate. There are three ways you can do that:
- Serve a small file from http://$HOSTNAME/.well-known/acme-challenge
- Serve a TLS certificate from https://$HOSTNAME
- Add a DNS TXT record relating to $HOSTNAME
Dehydrated, the client described on the wiki page, supports the first and third methods, but the contrib doesn't support DNS authentication for two reasons: (1) for most SME installations, the first method is much simpler to implement, and (2) everybody's DNS is different. But if you refuse to open ports 80 or 443 to your SME box, and you can't obtain the cert directly on your firewall (which you could if you were running pfsense, for example), DNS validation is your only remaining option.
Here's some information on using the DNS challenge with dehydrated:
https://github.com/lukas2511/dehydrated/blob/master/docs/dns-verification.mdhttps://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooksEdit: The OPNSense homepage (
https://opnsense.org/) indicates that it's able to obtain Let's Encrypt certs, so you might want to investigate the possibility of obtaining the cert on your firewall and deploying it from there to your SME box. The deployment could be scripted pretty easily on either the firewall side or the SME side. In short, it would need to copy the cert, the private key, and the intermediate CA cert to your SME server, set the SSL properties correctly (which would only need to be done once, and thus could be done manually), and then signal the ssl-update event.