How to create certificates for internal websites?

jfha73 · April 4, 2019, 6:17pm

Hello,

I’m following the instructions on the website to create SSL certificates using certbot, but when I try to create the certificate(s) it tells me that it cannot find the NXDOMAIN and it fails, this is supposed to happen because the websites are internal, therefore there is no DNS registry for them, any ideas how I can create a wildcard certificate for my internal websites?

By the way I’m using CentOS 7 with Apache, I currently have the websites using self signed certificates, but I want to stop the browsers from showing the users that the certificate is self signed and saying the website is not secure.

Thanks.

schoen · April 4, 2019, 6:22pm

Hi @jfha73,

Yes, please see

The only available method for validating your control of internal or private sites, which can’t be connected to from the Internet, is the DNS-01 challenge. This requires you to create DNS TXT records in your DNS zone as requested by the certificate authority.

In order to do this automatically, you’ll need a DNS provider API and a compatible Certbot plugin (or consider using acme.sh, which has broader and better-integrated DNS provider API support). (The idea is that you’ll need to be able to make DNS zone changes from software in response to the CA’s challenge.)

schoen · April 4, 2019, 6:22pm

Certbot’s DNS plugins are described at

mnordhoff · April 4, 2019, 6:25pm

Under many circumstances, you can just enable Internet connectivity to your services. People don’t have to be able to log in or whatever, just connect to the web server.

jfha73 · April 4, 2019, 7:06pm

Well I did try to install the certbot-dns-google plugin using pip and yum, it said it was installed, but when I tried it said it wasn’t installed.

jfha73 · April 4, 2019, 7:07pm

SSL is in place not because of Logins, but because of HTTP2.

schoen · April 4, 2019, 7:10pm

How did you install Certbot itself?

jfha73 · April 4, 2019, 7:25pm

I installed certbot using yum.

schoen · April 4, 2019, 7:26pm

@bmw, do you know why a yum-installed Certbot wouldn’t be able to see yum-installed DNS plugins? Could it be a Python 2 vs. Python 3 thing?

jfha73 · April 4, 2019, 7:31pm

This CentOS only has Python 2 installed, 2.7 to be exact, I also tried it on an Ubuntu 18.04 with Python 3 and got the same result.

bmw · April 4, 2019, 7:54pm

We strongly discourage installing Certbot through pip and unfortunately, certbot-dns-google isn't packaged on CentOS 7 or in our Ubuntu PPA. If you want to use this plugin, I recommend you use Docker.

EDIT: An older version Certbot and the Google DNS plugin is packaged in Ubuntu 18.04. Alternatively, you could use those packages and not install anything from the PPA.

jfha73 · April 4, 2019, 8:06pm

it is not, but python-certbot-dns-google on CentOS 7 is and python3-certbot-dns-google is on Ubuntu 18.04

bmw · April 4, 2019, 8:14pm

Ah you're right. Sorry for the misinformation. It didn't show up for me at https://apps.fedoraproject.org/packages/s/certbot-dns-google so I figured it wasn't available in EPEL 7.

Going back to your comment:

What did you install through pip? I strongly recommend uninstalling that and reinstalling any packages you obtained there through yum to see if it fixes your problem.

jfha73 · April 4, 2019, 9:36pm

The thing is that when I installed it via yum and it did not find it I installed it via pip, but all that did was tell me it was already installed.

jfha73 · April 4, 2019, 9:38pm

I forgot to say the dns plugin was the one I installed via pip after certbot told me it was not installed when it was via yum.

bmw · April 4, 2019, 9:46pm

I recommend running yum reinstall certbot certbot-dns-google.

After that, what is the output each of the following commands

command -v certbot
certbot --version
sudo certbot plugins

jfha73 · April 4, 2019, 10:15pm

I actually did a yum remove and also a pip uninstall and re-installed them only via yum, but I’m still getting the same problem, I don’t know if certbot looks for a package called certbot-dns-google instead of python-certbot-dns-google, but it can’t find it.

This is what certbot pluins show me:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

apache

Description: Apache Web Server plugin

Interfaces: IAuthenticator, IInstaller, IPlugin

Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

dns-google

Description: Obtain certificates using a DNS TXT record (if you are using Google

Cloud DNS for DNS).

Interfaces: IAuthenticator, IPlugin

Entry point: dns-google = certbot_dns_google.dns_google:Authenticator

standalone

Description: Spin up a temporary webserver

Interfaces: IAuthenticator, IPlugin

Entry point: standalone = certbot.plugins.standalone:Authenticator

webroot

Description: Place files in webroot directory

Interfaces: IAuthenticator, IPlugin

Entry point: webroot = certbot.plugins.webroot:Authenticator

it is there, but it says it is not installed when I run the command to generate a wildcard certificate.

bmw · April 4, 2019, 10:26pm

What do you mean it says it is not installed when you try to generate the certificate? What command are you running and what is the output?

jfha73 · April 4, 2019, 10:30pm

I think I got it, the example in the documentation says to use -a certbot-dns-google, but the plugin is called dns-google, not certbot-dns-google, that’s why it doesn’t find it.

bmw · April 4, 2019, 10:32pm

Great! Can you link me to the documentation you’re referring to so we can try and get it fixed?