How to renew TLS certificate for GitHub Enterprise Server with expired TLS certificate and private subnet without public IP?

Question

I have a GitHub Enterprise Server instance hosted on AWS in a private subnet that does not have a public IP address. The TLS certificate for the GitHub server has expired, and I need to renew it. I tried using the ghe-ssl-acme command with the

sudo -u admin /usr/local/bin/ghe-ssl-acme -p -i

option, but I encountered an error that the ACME server could not find a valid A or AAAA record.

How can I renew the TLS certificate for my GitHub Enterprise Server without a public IP address and with an expired TLS certificate?

Answer 1

Seems you are generating public cert for your github enterprise server host through Let's encrypt (based on ghe-ssl-acme command). Let's encrypt tries to validate your host domain name by HTTP-01 challenge (default one in case of Github enterprise server) to confirm if you own that domain & for that you need to have A record in your DNS pointing to GHES.

You can do following things

1. Have public load balancer (ALB) in-front of ec2 instance (hosting GHES). You need to create target group, do ssl offloading at ALB level with public cert of your domain (you can use aws acm for generating public cert) . Further detail : In case if you want to support git over ssh to your GHES (i.e uses should be able to git clone,pull,push over ssh , then you need to use NLB as load balancing on port 22 required layer 4 load balancer . You can use public NLB for it . So flow would look like NLB (listener on port 22) -> target group -> ec2 . You can also do same for administrative shell port 122 as well. For HTTP/s ports 443(ghes over https) & 8443(ghes management console) flow would be like NLB (listeners on ports 8443,443) -> ALB (listeners on 8443,443) -> target groups (8443,443) -> ec2 instance (hosting ghes server).
2. If you are using Route53 for DNS , you can add A record in public hosted zone key:value [.yourdomain --> public lb dns ]
3. Now try to regenrate tls cert for ghes through its management console (over 8443 port) OR by firing ghe-ssl-acme command in Administrative shell (port 122) of GHES