Certificate for inside/LAN domain


#1

Let’s assume that we have the domain company.com, our zone file:

$TTL 3600
@	IN SOA dns200.anycast.me. tech.ovh.net. (2018022800 86400 3600 3600000 300)
                           IN NS     dns200.anycast.me.
                           IN NS     ns200.anycast.me.                  
                           IN A      7.7.7.7
www                          IN A      7.7.7.7
nsint                          IN A      192.168.1.22
inside                         IN NS     nsint.company.com.

As you may see, there all requests for something.inside.company.com go to our inside dns server which works perfectly in our ptivate (non-routable) subnet.

Now I would like to issue LE certificate for blinky.inside.company.com.

How can I proof that I own the subdomian? Can I do it by proofing that I own the domain company.com ?

I would like to avoid adding public DNS entries just for the 10minutes for verification every 60days…


#2

Hi,

I’m not quite sure how to do this. However if your server route requests correctly you might be able to use http-01 challenge for single domain issuerance.

P.S. you might also use wildcard ssl, however it need to add DNS records and must use command line.

Thank you


#3

LE servers will not be able to resolve blinky.inside.company.com as the inside.company.com zone is redirected to DNS server in private IP subnet - the http verification will not work as far as I understand.

If i would create wildcard cert for *.company.com - the blinky.inside.company.com will not be verified as wildcard certs work only for one sublevel.


#4

No, you either need to have a publically available host for the http-01 challenge (which isn’t the case) or you need to be able to place a TXT record under _acme-challenge.privatesub.publicsubdomain.example.com. It is not enough to prove _acme-challenge.example.com.

Also:

You can’t avoid that I’m afraid. Does your DNS service have an API? I managed to get my BIND DNS server working through RFC 2136. Don’t remember exactly how :stuck_out_tongue: but my certbot is able to dynamically add and remove TXT records from my local BIND server.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.