Certbot / FQDN for local network

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: .lan / -lan

I ran this command: sudo snap install --classic certbot

It produced this output: Error creating new order :: Cannot issue for "atak.lan": Domain name does not end with a valid public suffix (TLD)

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu Server 20.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


i would like to run CertBot / FQDN for a local server without permanent internet access.
I want to run a programm called ATAK on a local network over Wi-Fi. I builded a little box for a router and a Raspberry Pi to make it movable.

Im not a big linux guy but on github you find a script that installs everything for you including FQDN using certbot.
Link to script: GitHub - atakhq/takserver-deb-installer: Setup TAK Server 4.8 or 4.9 in ~10 min on Ubuntu (20.04) with: certificate enrollment, optional FQDN with letsencrypt SSL, user certificate generation, simple-rtsp-server for video streaming.

When i run the script it installs certbot and wants to know my Hostname / Domain Name etc.

But Certbot seems not to like my .lan Domain and gives me this message:
Error creating new order :: Cannot issue for "atak.lan": Domain name does not end with a valid public suffix (TLD)

Is there a way to fix this or work around?

I very glad for any help!
As i sad im not big into linux and not into certbot at all but i would be awesome to get this running!

If any more information is needed please let me know! Thanks!

No, the top level domain (TLD) .lan is not a public TLD. While I can't seem to find a RFC or IANA registry where the .lan TLD is actually officially registered as a private TLD, most documents from official organisations such as IANA mention the .lan TLD as being private. See e.g. https://www.icann.org/en/system/files/files/sac-113-en.pdf

As Let's Encrypt is a public CA, it is not allowed to issue certificates for private TLD. It can only issue certificates for public domains as it is required to validate the hostname using the public internet.

Thus, to be able to use LE, you need a publicly available domain name.

See also:

It's a whole different story if you'd like to use Certbot in combination with your own selfhosted CA of course. For example, mini-ca (GitHub - jsha/minica: minica is a small, simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used., no ACME support, but probably also not necessary for simple environments) or step-ca (`step-ca` server, uses ACME, probably more for bigger companies) could do that.


Thanks for the quick answer!

The mini-ca looks like what i need. I will not have more then 30 users in my network connecting to the server so that should be fine.


You can still use a LetsEncrypt certificate in private lans, by obtaining a certificate for a public domain extension on the public internet via DNS-01 challenge (or completing the HTTP-01 challenge with a public server and copying that certificate onto your system). That will allow you to avoid installing the private root certificate on the client machines.


For extra clarity/reminder: which the .lan TLD is not.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.