Integrate Letsencrypt for Private Domain

My Domain is a Private Domain with AKS Cluster. I am trying to configure ssl termination with traefikv2 + Cert-Manager + LetsEncrypt. However i keep getting exception as :- "Invalid Domain name not public"

Kindly help to guide the process to integrate Letsencrypt for private domains !!

Thanks in advance.

The clue is in the error, but you cannot use Let's Encrypt for private domains. This is because they need to be able to validate your domain before they issue a certificate.

Instead, run you own private CA (smallstep etc) and distribute your CA root certificate to all of your machines.


To put this another way, the Let's Encrypt certificate is certifying that the entity that obtained the certificate owns or operates the domain names listed in it. And that certification is offered to the entire world, with Let's Encrypt's reputation, and officially audited policies and practices, behind it. Therefore, if you don't own or operate a domain (from the point of view of the outside world), Let's Encrypt cannot certify that you do, because that certification wouldn't be accurate!

One might then say "but, I don't want to convince the whole world that I operate this domain name! I just want to convince the devices on my own network, so I can use HTTPS within that network". And that's exactly the scenario that leads to...


The way that it was explained to me (and others) was this way. With a domain ending in .com, it's possible for Let's Encrypt to go to the official root ICANN nameservers and ask who controls them (A bit more complex, but that's the general point). The answer is applicable to everyone globally.

With a private TLD, there is no official registry of who owns the domain, anyone can use them. If you decide to name your server server.development.internal for instance, but I also name my server server.development.internal it wouldn't be right for my servers to accept certificates issued for your servers. What if you were a malicious actor that wanted to intercept traffic from my server? Or maybe I was the bad actor going after your servers?

The name is the same but the network context is different. If you use a CA like smallstep and add the root certificate to all your devices, then ONLY your devices will trust certificates issued by it. My servers won't accept yours even if they are on the same domain.

All that explanation aside, This is the correct solution


Thanks @webprofusion @ski192man @schoen for clarifying in detail.
I am looking for a solution that I can integrate with traefik IC on AKS private cluster for ssl termination.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.