Certbot using a non purchased domain using a local DNS server in Win Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: certbot.int

I ran this command: wacs.exe

It produced this output: [certbot.int] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for certbot.int - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for certbot.int - check that a DNS record exists for this domain","status":400,"instance":null}

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server

My hosting provider, if applicable, is: Local DNS Server and Local IIS

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v2.2.9.1701

If I create for a site without a dot it complains about No dot and if I use a dot it gets above error. I have a local DNS server with a zone and a 'a record ' Certbot.int with my local IP. and I set my adapter's DNS to my DNS IP then alternate 8.8.8.8.

You cannot get a certificate from a public CA for a non-public domain name. See also Certificates for localhost - Let's Encrypt; it's also quite suitable for other local hostnames/IP address without a public domain name.

Also, why would you want a certificate with the name 'certbot'? Weird.

4 Likes

it is just a test site, I named it so that I know this site uses a LE Certificate.

Just in the interest of thoroughness ... Certbot can get certificates from other Certificate Authorities too. Such as these:

4 Likes

Regardless, remains the fact you cannot get certificates from a public CA for non-public domains.

2 Likes

I wasn't contradicting that and fair enough to emphasize it. Was just educating poster about options for "Certbot". And to avoid future readers thinking Certbot was only viable for Let's Encrypt

2 Likes

It was just that :slight_smile:

2 Likes

Hi @MG1376 there's a little bit of confusion here becuase I don't think you are using Certbot (which is a popular ACME client mainly used on linux), I think based on the version number you mention you are instead using win-acme, which is very different software.

As others have mentioned is you want a certificate from Let's Encrypt it needs to be a public name that can bee seen in public DNS (like mail.yourdomain.com) and it can't be an internal name (like intranet01 or webmail.local) because Let's Encrypt can't validate internal host names.

If you can't give your services a public name (?) then you can use an internal CA (not Let's Encrypt) that you run yourself, examples include smallstep step-ca and hashicorp vault, there is also a windows active directory certificate services but to use that with acme you need some middleware like GitHub - grindsa/acme2certifier: library implementing ACME server functionality to act as an ACME compatible CA, there are probably commercial products too).

3 Likes

Thank you for recommendations, And sorry for wrong site post, I will check up your recommendations.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.