HTTPS for local network only

I have a server running a couple of web services, such as Portainer. I can access that web server from another machine by using it's local IP address, such as typing 192.168.X.X:9000 in a browser.

All these services are meant to be used only locally, no connection will me made from outside the network.

On the same server I run Nginx Proxy Manager, which serves as a reverse proxy and also generates HTTPS using Let's Encrypt.

I tried pointing a domain I own (henryrocha.xyz) to the local IP address of my server and them using NPM (Nginx Proxy Manager) to proxy those connections and create a SSL certificate but it does not work.

The output for that was:

[10/3/2020] [1:59:29 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/3/2020] [1:59:29 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #2: www.local.henryrocha.xyz
[10/3/2020] [1:59:38 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/3/2020] [1:59:38 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --preferred-challenges "dns,http" --webroot --domains "www.local.henryrocha.xyz" 
Saving debug log to /config/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.local.henryrocha.xyz
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.local.henryrocha.xyz (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.local.henryrocha.xyz

My question then is, is there any way to make these local connections secure or should I just use normal HTTP and give up?

Obs: There is an option to import custom SSL certificates, if needed

2 Likes

Welcome to the Let's Encrypt Community, Henry :slightly_smiling_face:

You could use dns-01 challenges that use TXT records created in your publicly reachable DNS zone to prove that you control the domain. The IP address of your server is irrelevant at that point.

2 Likes

If you want to obtain a global cert via HTTP authentication, then you need a globally resolvable FQDN.
www.local.henryrocha.xyz returns nothing via global DNS.

If you can switch to DNS authentication, then the FQDN can be anything that ends with a domain you "control".

3 Likes

I looked around for a bit and found this as a possible solution, much like what you guys described, which was to use DNS auth.

Following that exact solution I managed to get it working. I'll leave here the command I used for acme acme.sh to generate the certificates for future reference.

./acme.sh --issue --dns dns_linode_v4 --dnssleep 900 -d 'lan.henryrocha.xyz' -d '*.lan.henryrocha.xyz'

Obs: This command is explained here.

Thank you!

2 Likes