CNAME DNS pointing to PRIVATE domain name

CNAME algo-app.joinwaterlily.comn points to private domain ip-10-201-13-140.us-east-2.compute.internal. How can I install the SSL cert in this instance? It looks like the tools are trying to validate the domain, which is not going to happen in this setup...

My domain is:

algo-app.joinwaterlily.com

I ran this command:

sudo certbot --nginx

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: algo-app.joinwaterlily.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for algo-app.joinwaterlily.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for algo-app.joinwaterlily.com - check that a DNS record exists for this domain

My web server is (include version): nginx version:

nginx/1.24.0

The operating system my web server runs on is (include version):

Amazon Linux 2023
Linux 6.1.61-85.141.amzn2023.x86_64

My hosting provider, if applicable, is:

AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is:

certbot 2.7.4

Yes, an HTTP Challenge requires something to respond to that coming from the Let's Encrypt servers over the public internet.

But, there are lots of ways to deal with private servers. One of which is to use the DNS Challenge. These are often harder to automate and depends on your DNS provider to support an API. And, for the ACME Client (like Certbot) to support it.

It looks like you use GoDaddy (yes?) and I think certbot supports that now but not sure exactly. Someone else may know. You could use acme.sh (see their github) which does support it.

3 Likes

Well, yes. Do you strike this as odd? :slight_smile: A publicly trusted CA needs to verify a public accessible hostname. Whether that's through connecting to a public IP address using the http-01 or tls-alpn-01 challenge or resolving a specific TXT resource record on the public DNS using the dns-01 challenge, that's up to the user :slight_smile: (When talking about the ACME protocol; non-automated CAs might have other verification processes.)

3 Likes

Not odd so much as "not matching my hopes". :wink:

I appreciate the explanations and will look into using DNS verification.

Back to my hopes... since the purpose of a cert is to validate the domain to the certificate, I don't see a technical reason why the address the CNAME resolves to needs to be publicly accessible. As long as the CNAME exists I would think that's enough (assuming they've validated that we own the domain already). Before I knew about the other options I was thinking of adding a public IP, validating the SSL cert and installing it, then changing the CNAME to point to a private IP again. The SSL cert would still be valid in that case (right?). Assuming so, then the initial validation doesn't seem necessary.

But that's just hypothetical. The validation works the way it does so I'll have to look into the other options. Glad they are available.

Thanks all!

2 Likes

The validity of a certificate is independent of DNS.
DNS only helps us to know where the site that would be using that cert can be found.

The existence of a CNAME record is not enough proof of ownership/control.
That CNAME record would exist there no matter who made the request for that cert.
By that I mean, should LE also grant my request of a cert for your domain name?
[because I can also claim that a CNAME exists]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.