I have an application server that’s running internally using Apache/Tomcat but is accessed via a “real” domain name (as opposed to a .lan or .local.) We’d like to use the HTTPs option and generate a “proper” SSL cert with LE, as currently, our only method of getting certificates is from an internal CA which obviously doesn’t recursively validate out and gives our operators a cert error. Our security guys are also not too happy about internally generated certs either.
We’d like to be able to generate certs for an internal server - .e.g. https://internalapp.realdomain.com - but don’t want to expose it in external DNS or the web server itself to the outside world which seems to be a prereq for validating our authority to use that domain. Just to make things harder, that domain also doesn’t send/receive email etc. so we can’t send from something like email@example.com to prove it’s us.
Is there a way to be able to set up an Acme client (PowerShell pref. as the servers are Apache/Tomcat on Windows 2012 R2 and 2016) so we could script something to generate and keep certs updated for our two internal-only apps? Possibly validate ourselves a different way?