HTTPS for local network only

HenryRocha · October 3, 2020, 10:15pm

I have a server running a couple of web services, such as Portainer. I can access that web server from another machine by using it's local IP address, such as typing 192.168.X.X:9000 in a browser.

All these services are meant to be used only locally, no connection will me made from outside the network.

On the same server I run Nginx Proxy Manager, which serves as a reverse proxy and also generates HTTPS using Let's Encrypt.

I tried pointing a domain I own (henryrocha.xyz) to the local IP address of my server and them using NPM (Nginx Proxy Manager) to proxy those connections and create a SSL certificate but it does not work.

The output for that was:

[10/3/2020] [1:59:29 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/3/2020] [1:59:29 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #2: www.local.henryrocha.xyz
[10/3/2020] [1:59:38 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/3/2020] [1:59:38 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --preferred-challenges "dns,http" --webroot --domains "www.local.henryrocha.xyz" 
Saving debug log to /config/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.local.henryrocha.xyz
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.local.henryrocha.xyz (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.local.henryrocha.xyz

My question then is, is there any way to make these local connections secure or should I just use normal HTTP and give up?

Obs: There is an option to import custom SSL certificates, if needed

griffin · October 3, 2020, 10:48pm

Welcome to the Let's Encrypt Community, Henry

You could use dns-01 challenges that use TXT records created in your publicly reachable DNS zone to prove that you control the domain. The IP address of your server is irrelevant at that point.

rg305 · October 4, 2020, 12:12am

If you want to obtain a global cert via HTTP authentication, then you need a globally resolvable FQDN.
www.local.henryrocha.xyz returns nothing via global DNS.

If you can switch to DNS authentication, then the FQDN can be anything that ends with a domain you "control".

HenryRocha · October 4, 2020, 7:14am

I looked around for a bit and found this as a possible solution, much like what you guys described, which was to use DNS auth.

Following that exact solution I managed to get it working. I'll leave here the command I used for acme acme.sh to generate the certificates for future reference.

./acme.sh --issue --dns dns_linode_v4 --dnssleep 900 -d 'lan.henryrocha.xyz' -d '*.lan.henryrocha.xyz'

Obs: This command is explained here.

Thank you!

system · November 3, 2020, 7:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.