I have a private network with my own dynDNS server and somer server services. My DNS name is excample.local. I have access to all my servers locale or via VPN. I have no open port to the ISP.
Now I will install NextCloud and for this I need HTTPS. How can I generate this? I use a Fritz!Box and his have a DNS name *.myfritz.net. Even if I open ports 80 and 443, my server's DNS name (nextcloud.excample.local) cannot be reached from outside.
Exists a solution for this?
you need public name to get a public certificate: that's industry-wide requirement. you'd have better chance at getting certificate at that ddns subdomain of myfritz.net, but that's question of if your ISP open ports or ddns have api to set txt record
thanks for this hint. but I can't use the subdomain myfritz.net. I'm not the owner of this.
I have a de public domain (excample.de) with a webserver (www.excample.de). At the moment the hoster generates a key only for www.excample.de. Can I also generate a key for the top level domain excampe.de on hand of the DNS entry and than I can use it for my own network. But I must change the DNS name from excample.local to excample.de, that is OK for me.
Will there be problems with the two keys?
I don't see that name registered in the public records. GoDaddy currently offers it for sale and denic says it is not registered: denic.de: WebWhois
No, that’s fine.
AFAICT it was just an example.
Maybe. It seems poster wasn't sure which names could be used for what. Best to be sure.
If they had an actual public domain name there wouldn't be a need for a .local name.
I use the .local name because all are not and should not be accessible from the web. The excample.de and excample.local was only an excample name and not a registered.
They're supposed to be mDNS addresses. You might be thinking of .internal
But, I reiterate:
Thanks for this hint. My DNS configuration is over 10 years old. So I will change it in the next days to .internal.
In the next time I will test it with my own generated certification. When this work for me, than it is OK, when not than I have a problem and must search for a other solution.
Thanks for our help.
Moving off of .local is good, but you still won't be able to get certificates for a .internal domain.
Publicly trusted certificates can only be issued for an icann affiliated domain you have purchased registration on, such as a .com
While .internal might get used a lot, the only actually-reserved-for-internal-use domain zone I know of is .home.arpa (RFC 8375). (I have no idea why the committees-that-be haven't made a similar one for business use.)
I think that there may be a lot of confusion here around what you're actually looking for. For a private name, to be used only on an internal network, you would need to use a private CA with that private root loaded into the trust stores of the systems on that network. For a public name, even if the server itself is only accessible within an internal network, if the public name is publicly accessible with a public DNS server, then you could use a public CA to get a certificate for that name through a DNS- challenge, or if the server is in fact reachable publicly than through the HTTP or ALPN challenge. And by "name", I mean the fully-qualified full name, regardless of whether it might be a subdomain of some other name.
.internal is in the draft process of being reserved. draft-davies-internal-tld-03
This is commonly called "split horizon dns". There are many posts on this forum with those words that may be helpful.
Nice hint. That is what I've search. Now I must read more in the web for his configuration and using, but so I can use a public certificat over my top domain for my private network.
If you don't need the servers to be publicly accessible, you can also just use public DNS and have a dedicated namespace.
For example, I might have my main DNS for dev.example.com set to 127.0.0.1; or nextcloud.local.example.com set to 192.168.0.2 (or whatever my router assigns). I then use the DNS-01 challenge to obtain certs and deploy them to those machines. The DNS-01 challenge is used, so LetsEncrypt never has to access the server, and I don't care about external users.