I’ve been successfully using LetsEncrypt for issuing certificates for my own sites and thank you for that!
My question regards internal sites, that are not accessible from the internet. The sites are located in a private LAN that goes through NAT to the outside world. The sites have domain names that are only resolvable inside the LAN. The domains are subdomains of a public DNS tree (eg. mytld.gov.gr). Since I know that LetsEncrypt cannot issue certificates for sites that are not publicly accessible, I read somewhere that there is the option of DNS validation. For example, I maintain a wiki at wiki.mytld.gov.gr and I own the mytld.gov.gr domain. The wiki.mytld.gov.gr is only resolvable inside my LAN. Is it possible to issue a TLS certificate for this site using the DNS validation procedure? If yes, how does the renewal process work in this case near the certificate expiration date? Could you provide links to relevant documentation or examples?
The site itself does not need to be publicly reachable, but the DNS record does need to be publicly visible (at least a TXT record requested by the certificate authority—you do not need to have any publicly-visible A or CNAME records).
Ok, I want to get my certificate. Let’s say that it’s successfully issued and I set it up for my server and it works fine. Upon nearing the certificate expiration, what’s the deal with the DNS TXT record? Does it have to continue to exist, change its value or … ? Can the renewal process in this case be automated via a cron job like it can with the http validation? Could you provide an example for the command line used for certbot-auto?
The TXT record only has to exist at the moment the certificate is issued (not during the rest of the certificate’s lifetime). However, the requested record will be different for each certificate renewal. So, the most convenient way to handle this for automated renewals is with an API that allows the DNS zone to be updated programmatically. Do you have access to such a thing for this DNS zone? (For security reasons, it’s also possible to set a single persistent CNAME inside the zone so that the effective DNS record that you have to change is under a different zone; in that case, you can update a different zone via API rather than the mytld.gov.gr zone).
Unfortunately I don’t have direct access to the DNS zone management. Whenever I need changes to the DNS zone (addition, deletion, or update of a record), I must send an e-mail to the DNS zone manager authority. The change usually takes place in a couple of hours at most, but given this procedure, I obviously cannot use an API (or some other automated procedure) to do such DNS zone changes.
I’d like some explanation regarding this:
For security reasons, it’s also possible to set a single persistent CNAME inside the zone so that the effective DNS record that you have to change is under a different zone; in that case, you can update a different zone via API rather than the mytld.gov.gr zone
To validate the name wiki.mytld.gov.gr, you would use a TXT record at _acme-challenge.wiki.mytld.gov.gr..
But you can CNAME that anywhere. If the mytld.gov.gr. people are willing to create a CNAME pointing somewhere you do control, that would solve the problem.
E.g. if they set _acme-challenge.wiki.mytld.gov.gr. CNAME wiki-acme-challenge.lourdas.com.gr., and you have programmatic control of the DNS records for lourdas.com.gr., you could use that.
Or they could delegate a different zone like acme-challenges.mytld.gov.gr., to the same DNS provider or a different one, give you(r ACME client) access to that, and set something like _acme-challenge.wiki.mytld.gov.gr. CNAME wiki.acme-challenges.mytld.gov.gr..