Let's Encrypt, hostname for applications and host/device?

So I’m researching the moving from NameCheap to LE on our DNG. So setting it up for the server is straight forward enough but for applications… does each applications host need to also have Port 80 open?
Also, why is DNS verification not an option?

Thanks!

1 Like

Hi @Skeer,

I want to make sure I’m understanding your question correctly.

  • Are you trying to generate Let’s Encrypt certs inside of the DNG for the applications you’ve added?
    • If so check out Configure an Application in Duo Network Gateway, you’ll only need port 80 open for the DNG but you’ll need DNS entries of all the domains you’re trying to generate certificates for pointing to the DNGs address as well.

We currently only offer the file verification method and not the DNS method. I’d recommend contacting your account manager if you’d like to file a feature request for the DNS verification method.

1 Like

Hey Jamie, so this is pretty close. I did wonder about needing to open Port 80 to all the various applications urls/domains in addition to the DNG server/host itself. But sounds like all I should do is open http to the DNG host, then ensure there are public DNS CNAMEs for all the applications, is this correct?

Thanks!

Ben

That’s correct @Skeer !

Sweet! Thanks for the confirmation!

Have a great day!

Hey Jamie, a question if I may… So I changed the certificate to Let’s Encrypt for one of the applications on our DNG. In the DNG console it says it’s a Let’s Encrypt cert now. But when I browse to it… after I complete the Okta step and I’m at the applications URL I check and the certificate in use is for a different domain and not published by LE. What might cause this?

Thanks!

Ben

Hey @Skeer,

I’d double-check that you’re actually landing on the site being protected by the Duo Network Gateway and not being redirected to another URL. If you are accessing the site through the Duo Network Gateway you should either see your Let’s Encrypt certificate being provided to the browser for that site or any certificate you may have manually configured to be used.

Feel free to contact support so that they can get this sorted out after for you.

Thanks Jamie, I’m looking to update the DNG install this weekend then move onto actually investigating the LE cert stuff.