[Feature Request] Let's encrypt DNS challange

Maurice · January 10, 2024, 9:54am

Hi,
I could not find anything related to this so I hope this could be a possible new feature.
We would like to see the DNS ACME challange in Pritunl Zero. At this moment we need to open up port 80 for the whole world and we cannot apply GeoIP blocking on that port and when we want to implement HSTS it could impact the ACME challenge.

Is Let’s encrypt DNS challenge on the roadmap?

Regards,
Maurice

zach · January 12, 2024, 8:36pm

Support for authorizing the Lets Encrypt certificates with DNS challenges on AWS and Oracle Cloud will be added to both Pritunl Zero and Pritunl Cloud soon. This will be added with the secrets storage component that will be used store the AWS and Oracle Cloud API keys.

Maurice · January 12, 2024, 10:15pm

Hi , thank you for the information, do you know if Cloudflare is(or will be) also on the list to add?

zach · January 16, 2024, 8:06am

Both AWS and Cloudflare DNS challenge certificates have been added and will be included in the next release.

Maurice · January 18, 2024, 3:05pm

Do you know when the new release is planned? (this month, next month, or something like that)

zach · January 19, 2024, 12:06am

Support for OracleCloud still needs to be completed. It may be in a build this weekend. It isn’t possible currently to pull the code from the repository, there is still a lot of uncommitted code.

zach · January 22, 2024, 2:44pm

This is now available on the unstable repositories, it will move to the stable repositories after a few days of testing. The DNS provider API key is stored in the secrets tab which can then be selected from the certificates page. Support for AWS, Cloudflare and Oracle Cloud is available.

Maurice · June 28, 2024, 2:09pm

Anyone knows if this feature is also being implemented on the Pritunl VPN solution?

zach · July 3, 2024, 1:34pm

There’s no plans on adding this to the VPN server.

harsha · May 19, 2025, 4:28pm

Requesting to add this to VPN server to comply with various standards and remove open port 80

zach · May 20, 2025, 1:07am

The web server in Pritunl has a very secure dual layer design, there shouldn’t be any concern with keeping it open to the internet. A lot of configurations will require it to be open. Any vulnerability especially on port 80 which has almost no handlers would very likely need to exist both on the Golang and Python web servers. It doesn’t pass the full request to the inner web server, it is fully parsed with JSON type checking in Golang then recreated using only the defined set of headers and sent to the internal server.

It can be made more secure by running sudo pritunl set app.web_systemd true then sudo systemctl restart pritunl this will isolate it in a systemd service that has a lot of the isolation options configured. This may become the default but to prevent compatibility issues currently it must be manually enabled. There are also SELinux profiles included with the RHEL packages that further protect the web server process.