Fritz!Box: add as local Only Domain to Certificate additional to

Hello all,

I using MyFritz! Service, which provides per default an automatic generated Let's Encrypt certificate.
As far, as good.

But when try to reach my local Fritz!Box web services like "", I still get a certificate error Message, message in Chrome "ERR_CERT_AUTHORITY_INVALID".
OK, a look into the Certificate and as i unterstood the root cause is:
Fritz!Box creates a certificate, that has only the as Subject e.g. "" and not
So I started an Standalone Windows Server with IIS, added Port 80 Bindings "" and "" and enabled port forwarding on Fritz!Box, so that "" was reachable via internet.

With win-acme I've tried to create a new certificate on that server and selected following options:
M: Create certificate (full options)
1: Read site bindings from IIS
=> 1: Default Web Site (2 bindings)
=> 1st:
=> 2nd:
Site identifier(s) or to choose all:
Binding identifiers(s) or menu option:
Please pick the main host, which will be presented as the subject of the certificate:
=> Selected
Continue with this selection? (y*/n) - yes
Suggested friendly name '[IIS] (any site), (any host)', press to accept or type an alternative:
How would you like prove ownership for the domain(s)?:
=> 2: [http-01] Serve verification files from memory
What kind of private key should be used for the certificate?:
=> SRA key
How would you like to store the certificate?: 2
=>2: PEM encoded files (Apache, nginx, etc.)
Path to folder where .pem files are stored: C:\Temp
Password to use for the private key .pem file or for none: **********************
Would you like to store it in another way too?:
=> 5: No (additional) store steps
Which installation step should run first?:
=> 4: No (additional) installation steps

But then I got following error message:
[] Cached authorization result: valid
[] Authorizing...
[] Authorizing using http-01 validation (SelfHosting)
[] Authorization result: invalid
[] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this domain",
"status": 400
Create certificate failed, retry? (y/n*)

As I under stand that result, the win-acme can validate address, but not the address.

How I can add as second subject entry to the certificate? :slight_smile:
Or may I'm totally wrong? :zipper_mouth_face: :roll_eyes:

Thanks a lot for Feedback :relaxed:

IIS web server is Version 8.0
OS of my web server runs on is Windows Server 2012
win-acme Version is

1 Like

Hi @tralveller

you are not the owner of the domain So you can't create a certificate with that domain name.

  • Add a browser exception (or)
  • use only the unique internet address.

Hi @JuergenAuer

thanks for fast reply :slight_smile:
Hmm, also not if I create locally a DNS server and change any config so that this request will re-directed to local ressource? :slightly_frowning_face:

Thanks a lot and kind regards

Please see:

All validations must be publically accessible from the world wide web. Otherwise anyone could generate a publically valid certificate for any hostname. You need to be able to prove ownership.


You are not the domain owner.

I have also a - that's not a worldwide unique domain name.


@Osiris @JuergenAuer
maybe I had missed something and I found no other clear entry about this
Ok, Then that's how it is.

Thanks for the explanations and details :slight_smile:
May this details are helpful for others :+1:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.