Intranet certificate?

zaphodikus · December 16, 2019, 2:50pm

My domain is: An internal LAN intranet machine GIBA.dhcp.mycompany.ltd

I ran this command: sudo certbot --apache

It produced this output:
Which names would you like to activate HTTPS for?

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): gci.example.com
** Error - Invalid selection **

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 18

I installed this ALL last month or more recently, so pretty much latest version. I’m trying to set up a secure/trusted self-signed server on an intranet. I thus typed in “GIBA.dhcp.mycompany.ltd”, which is the FQDN on my own internal DNS, and expected to get some job, but even typing in the example fails, so somebody is trying to phone home?
But mostly I’m getting confused by the wording and language used by anyone describing how to set up a secure server. I am using this to learn how to set up a server, but the server will never be external, I want to still go through most of the correct steps to learn from. Am I wasting my time. I am wanting to switch my apache from http to https and allow other machines to be reasonably secure at least with credentials if they choose to trust my self-signed cert, which I will place on a thumbdrive. I keep seeing steps in people’s blogs telling me to set up a “localhost” CN in a certificate, but localhost is not a trustable CN surely, so rather confused now. A number of links point to your excellent tool, but I’m not clear on the basics still. Making sense?

JuergenAuer · December 16, 2019, 3:31pm

Hi @zaphodikus

please start with some basics:

If your mycompany.ltd is a worldwide visible, unique domain name, you can create a certificate with the domain name GIBA.dhcp.mycompany.ltd.

But if this is only an internal server without a public ip address, you can't use http validation.

Instead, you must use dns validation.

Read

mnordhoff · December 18, 2019, 5:17am

I think Certbot's interface needs you to type "1" rather than "gci.example.com". It's just rejecting the input because it expects a number, not because of anything about your hostname itself.

Edit:

Of course, unless you work for IANA, you don't have access to example.com, and gci.example.com doesn't currently exist. mycompany.ltd doesn't seem to be a registered domain, and giba.dhcp.mycompany.ltd does not exist either.

Let's Encrypt only issues certificates for domains that are registered and that you really control.

Certbot isn't intended for issuing simple self-signed certificates. It's an ACME client, designed to interact with CAs using the ACME protocol. It doesn't necessarily have to be a public, trusted CA like Let's Encrypt. You could operate your own private CA using software like step. But if you want one command to issue an untrusted, self-signed certificate, without any other infrastructure, that's not what Certbot is for.

Topic		Replies	Views
Intranet certificate request Help	17	2454	January 21, 2021
Wondering about intranet server certs Help	8	6459	February 4, 2023
Failed to create Cert for intranet Server Server	8	1158	November 25, 2018
Certificate for a server which is not https Help	10	1121	March 26, 2022
Use let´s encrypt for intranet domain Help	10	18497	March 14, 2019

Intranet certificate?

Related topics