With the new CA from Harica, it is possible to automatically generate certificates using the ACME protocol. Since we have already validated the domains (b-tu.de and tu-cottbus.de), no ACME challenge and therefore no inbound connection is required. This means that even internal servers that are not authorised by the firewall can automatically obtain certificates using ACME. Since the ACME protocol is very well standardised, any client can be used. The only requirement is that external account binding must be supported.

Examples of supported clients: certbot, acme.sh or win-acme

IT-Services offers limited support for certbot.

Request access

Admins registered with the IT-Services can request access data by email. Simply send an informal email with the FQDN of the server to ca-btu@b-tu.de. You will then receive the necessary values for external account binding (eab-kid, eab-hmac-key and Sectigo Server).

Retrieve certificate

or with elliptical curves (ECC)

The values of eab-kid and eab-hmac-key should be treated in the same way as the private key from the certificate. Once certbot has downloaded the first certificate and thus registered with the server, both values are no longer required. certbot stores the login details for the certificate in the corresponding account. The account details must therefore also be protected.
The current certificates can then be found under /etc/letsencrypt/live/<FQDN of the server>/ and can be linked directly in the web server, for example.

Renew certificate

Renew can be called regularly, for example via a cron job. Certbot then checks all installed certificates for their expiry date. Certificates with less than 30 days remaining are updated.

Block certificate

Documentation