Failed to create Cert for intranet Server


#1

Hello there,

i’m actually working on an intranet dokuwiki that shall not be access from the internet.
Its running on Apache2 on a Debian 9 Stretch and python-certbot-apache to create the cert.
By trying to get a cert I get the Report DNS problem: NXDOMAIN looking up A for wiki.domain.de

We have a public domain domain.de and the wiki.domain.de has a intranet DNS entry to resolve it in our network.

I have read now, that it is still possible to get a cert for this server with something called http-01 challange, but I do not get the way how to bring it up.

If someone got through this and can explain or provide me with a link to a guide to get this running I would be very happy.

Best Regards

Sven


#2

The authentication for http-01 challenge would come from the Internet.
If your server is not accessible form the Internet, then that method would not be possible [directly from that system].

You are left with choosing between using another system, that is accessible from the Internet, to obtain the cert on behalf of the wiki server or use DNS authentication.
Note: DNS auth requires that your Internet DNS provider has a supported method for update [or you will have to do the DNS entries manually - not recommended].

If the system is NOT accessed from outside your internal network, why does it need a cert that is trusted on the Internet? You could easier use a cert from any internal trusted CA [and it could have a much longer lifetime].


#3

Hi there,

well, then we have to look to get our existing wildcard onto the system.
We are planning in the future to switch to let’s encrypt complete and this wiki should have been the first to get it test and started.

A self trusted CA isn’t what we had in mind for it.
So we will look to get our existing wildcard CA onto the wiki for now and change it to let’s encrypt wildcard later.

Thank you for your explanation.


#4

No problem.
Be sure you account for the fact that LE certs only last 90 days.
You will be faced with the same synchronization problem whether the cert is wildcard or not.


#5

Yup, i keep that in mind. I already using it in private too. :slight_smile:


#6

Not a link to a guide, but if your domain name server has an API so you can automate adding and removing TXT records, you can issue certificates for internal only IP addresses, as long as the hostname of that host (i.e., the DNS server) is accessible from the world wide web.


#7

You mean for getting a Cert I let my DNS make and A record for the specific time to get the cert and invoke this entry later? Or did i got it wrong?


#8

A TXT record, not an A record.

certbot has a few plugins for automated DNS challenge validation, but depending on your system distribution it is easy or not so easy to install them.