Do I need 2 separate certificates for split DNS environment?

mballinger · November 10, 2021, 9:16pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*.oakdaleirrigation.com

I ran this command:
I have not ran a command yet.

It produced this output:
N/A
My web server is (include version):
IIS

The operating system my web server runs on is (include version):
Windows Server 2016

My hosting provider, if applicable, is:
On-Prem
I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a split DNS environment (internal server DNS name is different than the external DNS name). If I install the client and generate a certificate i am assuming it will pull the FQDN (internal DNS name) which will not match the public facing name. Do I need 2 separate certificates or can I specify the name on the certificate to be the external name? I want the external DNS name to be on the certificate so that the applications we are hosting will resolve properly.

Osiris · November 10, 2021, 9:29pm

Your assumption is incorrect: the ACME client doesn't validate the FQDN, the (remote) Let's Encrypt validation server does. So it'll try to connect to the IP address resolved from the public, external DNS (http-01 or tls-alpn-01 challenges) or use the authorative DNS servers for validation (dns-01 challenge).

jvanasco · November 10, 2021, 10:00pm

In addition to what @Osiris said, LetsEncrypt can only issue Certificates to the public internet / external DNS names. You can not get a Certificate from LetsEncrypt for the internal LAN names.

rmbolger · November 10, 2021, 11:07pm

Unless you can publish the appropriate DNS TXT records to the public DNS zone associated with those names and the name is part of a real ICANN domain.

jvanasco · November 11, 2021, 12:48am

Well yes, you can map or remap them internally -- but the DNS records need to be externally/publicly verifiable.

rg305 · November 11, 2021, 12:49am

Hi @mballinger and welcome to the LE community forum

I presume the reason being that you are using the exact same set of FQDNs and simply want to return a different set of IPs from each zone.
[external IPs from external zone - internal IPs from internal zone]

That said, since you plan on requesting a wildcard cert, you will have to ensure the ACME client can update the actual DNS zone for the real Internet domain - OR process the request manually (NOT recommended).
So the first hurdle is using a DNS Service Provider (DSP) that supports zone updates via API.
The second hurdle is using an ACME client that has a plugin for that DSP.

Feel free to ask questions and/or for advice along the way.

system · December 11, 2021, 12:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.