Can I create a cert for a private domain?


#1

Please fill out the fields below so we can help you better.

My domain is:

xxxxxxxxx.local

I ran this command:

certbot certonly --manual --config-dir ./certbot --work-dir ./certbot --logs-dir ./certbot

It produced this output:

The request message was malformed :: Name does not end in a public suffix

My operating system is (include version):

Darwin 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64

My web server is (include version):

Nginx inside a Docker container

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

We have a webapp (Angular based) that requires our users to take membership photos using a webcam.

Chrome is our supported browser and that requires SSL to allow access to the webcam. Nice and secure.

Currently, for testing, we use a self signed certificate, but that seems to be giving us problems. We suspect that a self signed cert is no longer good enough.

Our live site has a proper certificate for our live domains (wildcard subdomains as we have apps and customer specific domains).

Our developers though don’t have a working certificate and we want to make this easier for them to work with.

What approach can we use? I am NOT an expert in SSL, so a simple list of commands allowing me to supply a cert to the devs that they can hook into their dockerized nginx would be great.

Regards,

Richard.


Private domains, NAT, and Let's Encrypt
#2

If the domain you need a certificate for isn’t publically accessible (either DNS or IP), it’s impossible to get a Let’s Encrypt certificate.


#3

Industry rules now completely forbid publicly trusted CAs from issuing certificates for internal names like .local. Sorry!


#4

Hi Richard

How did you generate the self signed certificate?

You can get browsers to trust self signed certificates by installing their intermediates on your developers PCs (not an ideal situation but it works)

Second way - purchase a xyz domain of your real domain (for example if your real domain is superhphotos.io) purchase (superphotos.xyz) xyz domains are failry cheap (USD $2 for 1 year). On your local desktops you can then point www.superphotos.xyz to your test servers (using HOST files or HOSTS)

Andrei


#5

i also think the second way is better as it means you get practice at configuring LetsEncrypt certs early :smiley:


#6

some more guidance on the first option: https://jamielinux.com/docs/openssl-certificate-authority/

note you need to select SHA256 as the signing algorithm


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.