Let’s assume that we have the domain company.com, our zone file:
$TTL 3600
@ IN SOA dns200.anycast.me. tech.ovh.net. (2018022800 86400 3600 3600000 300)
IN NS dns200.anycast.me.
IN NS ns200.anycast.me.
IN A 7.7.7.7
www IN A 7.7.7.7
nsint IN A 192.168.1.22
inside IN NS nsint.company.com.
As you may see, there all requests for something.inside.company.com go to our inside dns server which works perfectly in our ptivate (non-routable) subnet.
Now I would like to issue LE certificate for blinky.inside.company.com.
How can I proof that I own the subdomian? Can I do it by proofing that I own the domain company.com ?
I would like to avoid adding public DNS entries just for the 10minutes for verification every 60days…
I’m not quite sure how to do this. However if your server route requests correctly you might be able to use http-01 challenge for single domain issuerance.
P.S. you might also use wildcard ssl, however it need to add DNS records and must use command line.
LE servers will not be able to resolve blinky.inside.company.com as the inside.company.com zone is redirected to DNS server in private IP subnet - the http verification will not work as far as I understand.
If i would create wildcard cert for *.company.com - the blinky.inside.company.com will not be verified as wildcard certs work only for one sublevel.
No, you either need to have a publically available host for the http-01 challenge (which isn't the case) or you need to be able to place a TXT record under _acme-challenge.privatesub.publicsubdomain.example.com. It is not enough to prove _acme-challenge.example.com.
Also:
You can't avoid that I'm afraid. Does your DNS service have an API? I managed to get my BIND DNS server working through RFC 2136. Don't remember exactly how but my certbot is able to dynamically add and remove TXT records from my local BIND server.
but my