Skip to content

LetsEncryptProxy is small IIS web application for forwarding LetsEncrypt authorization to your LAN clients.

Notifications You must be signed in to change notification settings

sebastiankpunkt/letsencryptproxy

Repository files navigation

LetsEncryptProxy

LetsEncryptProxy is a small IIS web application for forwarding LetsEncrypt validations to your LAN internal clients.

Feel free to modify it. It's not a big thing, so do whatever you want with it.

https://github.com/sebastiankpunkt/letsencryptproxy

How it works:

LetsEncrypt usually can only be used on a web server which can be connected from the Internet on Port 80. The ACME client creates a file on the web server containing a given key. After the creation the LetsEncrypt servers compares this files content for validation. Only if the token file is available and the key is correct it will deliver the certificate to the client. If you want to use valid LetsEncrypt certificates in your own LAN you can use some workarounds. One of these workarounds is this small web application. The LetsEncryptProxy accepts all well formed LetsEncrypt-Requests, checks the host name against a white list, will itself ask the client for the token file and deliver the key to the requesting LetsEncrypt-Server.

Normal LetsEncrypt validation:

Web server <-------> LetsEncrypt

LetsEncrypt validation over LetsEncryptProxy:

Client <-------> LetsEncryptProxy <-------> LetsEncrypt

What it needs:

  • IIS, accessible from Internet on HTTP port 80 with URL Rewrite module
  • Domain with wildcard record (*.yourdomain) pointing to your IIS IP or A record for subdomains
  • DNS server for your LAN using your public domain inside your LAN (*.yourdomain)
  • LetsEncrypt client software as usual with outgoing internet access, together with a web server on the clients

I'm using it with several Windows clients and Synology NAS but it should work with every client based on ACME challenge response.

The whole LetsEncryptProxy directory contains the Visual Studio 2015 project files. The main parts of the application are located in the files response.aspx.cs and web.config

Installation:

  1. Save the content of the directory on your web server.

  2. Create the Web application:

If the server is already hosting a web site on the domain(s): Create a new application directory for your default web site in IIS with the alias name ".well-known". Select the LetsEncrypt directory as path.

OR

If the server does not host a web site on the domain(s): Create a new web site in IIS. Select LetsEncrypt directory as path

  1. The application pool of the web application needs the correct permissions to the LetsEncryptProxy directory: Read/Execute access to the main directory and it's sub folders, Read and write access to the "Logs" directory.

  2. Open the URL http://yourdomain/.well-known in your browser. The text "LetsEncryptProxy is running" should appear.

  3. Enter all A records for your internal LAN PCs to your own LAN DNS server (hostname.yourdomain pointing to the client PCs IP)

  4. Enter all host names of your LAN host in the web.config file as value for DnsHostWhiteList. For more than one entry use semicolon (;) for separation. If you would want to allow all host names, use * (would not recommend that).

  5. Logging is enabled by default. After testing you should consider disabling it or change the logging path due to security reasons.

Done. The LetsEncryptProxy should work now.

If you have problems, questions, remarks, feel free to contact me at letsencryptproxy@macmac.de