Encryption for internal server / no DNS entry

stefanm · 2018-07-19 11:04:11 UTC

Hello,

I have kind of the same problem like described here: #54131
We have a server which is connected to the internet through our fritz.box but which does serve websites only internally.
We have Confluence, davical and a Scrum tool installed there. I’d like to encrypt the communication using TLS.
When I run certbot --nginx I get an error:

Failed authorization procedure. kanban.pan-acoustics.de (http-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up A for kanban.pan-acoustics.de

We do not have an own DNS Server in opur company. We have a fix IP-address and I access the server via VPN

I am pretty new into how the internet works so there might be a basic problem understanding the problem but I suppose that there exists no DNS entry pointing to my machine. How can I fix this? Why do I need a DNS entry altough the machine is only accessed via VPN or LAN?

My setup: nginx 1.1.14, Ubuntu 18.04LTS, I have sudo rights.

_az · 2018-07-19 11:08:02 UTC

Because SSL certificates prove to the world that you control the domain name. In order for the system to work, you need to be able to publicly demonstrate that proof. (At least, that’s how Let’s Encrypt works).

Your nameservers are

ns9.schlund.de.
ns10.schlund.de.

You may use DNS validation (via a TXT record on those nameservers) to prove control of your domain, which will allow you to get a certificate while also allowing your server to remain internal.

certbot -a manual -i nginx --preferred-challenges dns -d kanban.pan-acoustics.de

stefanm · 2018-07-19 11:29:22 UTC

Thanks for the quick response.

Because SSL certificates prove to the world that you control the domain name. In order for the system to work, you need to be able to publicly demonstrate that proof. (At least, that’s how Let’s Encrypt works).

ok got it. So with the TXT record I prove that I own the domain (or at least can access the domain details).

I gave the information to a collegue as I don’t have the password to access the domain details.

One thing I don’t understand:
With the TXT record I prove, that I own pan-acoustics.de
The server to which I connect is kanban.pan-acoustics.lan
So if the client-browser asks for pan-acoustics.de to which the certificate is registered, how can the internal machine be validated?

_az · 2018-07-19 11:41:10 UTC

Oh, I see. You did not mention .lan before.

You can’t get a Let’s Encrypt certificate for kanban.pan-acoustics.lan because .lan is not a Public Suffix. No certificate authority will issue a certificate for it.

You can get one for kanban.pan-acoustics.de, and use it on your internal server, though. You’ll just need to create a TXT record for _acme-challenge.kanban.pan-acoustics.de (which Certbot will ask you to do every time you issue or renew a certificate).

stefanm · 2018-07-19 11:52:52 UTC

…and use it on your internal server, though

So the client browser will accept the certificate altough server host name and domain name are different?
Or is it like the firefox warning “maybe not the site you want to see” but at least with encryption?

_az · 2018-07-19 11:53:41 UTC

No, you’ll need to use the .de address in your browser for this to work. It will have a warning that you can bypass - yes, but encryption is practically worthless for a non-verified connection.

If you want to have a certificate that will work for a .lan address, then your only choice is to create your own private CA and manually trust it on all of your user systems.

In corporate environments it’s not uncommon to have a real domain (e.g. your .de one) that is separated into public/private DNS. kanban would go to the private side, but _acme-challenge would go to the public side. In that case, you can use trusted certificates (like Let’s Encrypt).

Some more info about that: https://en.wikipedia.org/wiki/Split-horizon_DNS

stefanm · 2018-07-19 12:06:29 UTC

The .de points to our website which is not the IP address of our firewall and servers. Those have no domain name, just an IP address.
So if we want a certificate from Let’s encrypt we need a domain for the IP that points to our server (which is at the moment only accessible through VPN and LAN) and there, the TXT-record?

Split horizon DNS means that we need to have an own DNS server? Well thats a bit too much at the moment especially as I don’t feel like having the neccessary knowledge for that

_az · 2018-07-19 12:11:52 UTC

What you need is to access kanban (in your browser) via a real domain. If you continue to use .lan, then you can’t get a certificate. The reason for that is that nobody owns (or can own) pan-acoustics.lan, because .lan is a fake TLD.

If you changed the domain over which you accessed kanban to http://kanban.pan-acoustics.de, then this problem would be solvable, because you would be able to fulfill the requirement to prove your control of the domain. (And you could do that using split-horizon DNS or not, it’s not necessary/important).

I hope that makes it clearer. If not, hopefully somebody else can hop in and try and explain it.

stefanm · 2018-07-19 12:16:59 UTC

indeed that helped alot thanks!

system · 2018-08-18 12:17:11 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.