Nextcloud Let's Encrypt script should not require opening ports to the internet, should auto renew with other method

[packet1]

Is your feature request related to a problem? Please describe.
I'm always frustrated when my certificate expires with Let's Encrypt, because it requires opening ports 80 and 443 to the internet. I do not want to open a private server to the internet for LE enrollment. Let's Encrypt script does work with DNS TXT validation, but it is not automated.

Describe the solution you'd like
Support Let's Encrypt without opening a private server to the Internet for LE validation and cert enrollment and renewal. Stop exposing more private applications to the dangerous Internet. I manually have to update DNS txt records every 90 days and run the script to update the cert.

Describe alternatives you've considered
Manual update of DNS text records, and manual update of the the LE script

Additional context
Security should be a focus by reducing exposure to the internet

[crowetic]

You could definitely utilize one of the letsencrypt methods that allows you to give access to DNS, as I have done that on a few of my HAproxy instances that cannot allow access directly in the typical fashion. However, this also requires giving access to the DNS provider (Cloudflare in my case) via API/perms, which would not really be something the script could do without prompting the user for input.

I assume the script is meant to be able to run with as little private information as possible being 'required', and as such that is likely why it utilizes the methods that require opening ports.

in your case, I would suggest configuring access to the DNS method as described above, and allowing it to automatically update via cron, without having to open the server itself to the internet. This would resolve your concerns.

I do not suspect that the script author is likely to do this, however, as like I said it would require the user inputting 'private information' during the setup process. I suppose it wouldn't be that big of a deal as it could just prompt the user, have them paste it, then write it to a config file and change the cron entry that updates certificates...

hmm... maybe.

I might be able to write a pull request for this.

[packet1]

I use the DNS TXT method, but it requires manually executing the script every 90 days and manually updating the DNS TXT record in the registrar. It's a hassle. It will be more tedious when the CA/B forum reduces cert lifetime to 47 days. Cert renewal needs to be fully automated.

[crowetic]

You can utilize the API method... depending on your DNS provider it's pretty simple. I use cloudflare most of the time for my DNS, and there's a plugin for letsencrypt that allows you to authenticate with their DNS and have it handle the entries for you automatically, that way you can automate the cert renewal.

But... this does require that the instance have OUTBOUND internet connectivity, in order to reach the API...