Intranet certificate?

My domain is: An internal LAN intranet machine GIBA.dhcp.mycompany.ltd

I ran this command: sudo certbot --apache

It produced this output:
Which names would you like to activate HTTPS for?


1: gci.example.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): gci.example.com
** Error - Invalid selection **

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 18

I installed this ALL last month or more recently, so pretty much latest version. I’m trying to set up a secure/trusted self-signed server on an intranet. I thus typed in “GIBA.dhcp.mycompany.ltd”, which is the FQDN on my own internal DNS, and expected to get some job, but even typing in the example fails, so somebody is trying to phone home?
But mostly I’m getting confused by the wording and language used by anyone describing how to set up a secure server. I am using this to learn how to set up a server, but the server will never be external, I want to still go through most of the correct steps to learn from. Am I wasting my time. I am wanting to switch my apache from http to https and allow other machines to be reasonably secure at least with credentials if they choose to trust my self-signed cert, which I will place on a thumbdrive. I keep seeing steps in people’s blogs telling me to set up a “localhost” CN in a certificate, but localhost is not a trustable CN surely, so rather confused now. A number of links point to your excellent tool, but I’m not clear on the basics still. Making sense?

1 Like

Hi @zaphodikus

please start with some basics:

If your mycompany.ltd is a worldwide visible, unique domain name, you can create a certificate with the domain name GIBA.dhcp.mycompany.ltd.

But if this is only an internal server without a public ip address, you can’t use http validation.

Instead, you must use dns validation.

Read

1 Like

I think Certbot’s interface needs you to type “1” rather than “gci.example.com”. It’s just rejecting the input because it expects a number, not because of anything about your hostname itself.

Edit:

Of course, unless you work for IANA, you don’t have access to example.com, and gci.example.com doesn’t currently exist. mycompany.ltd doesn’t seem to be a registered domain, and giba.dhcp.mycompany.ltd does not exist either.

Let’s Encrypt only issues certificates for domains that are registered and that you really control.

Certbot isn’t intended for issuing simple self-signed certificates. It’s an ACME client, designed to interact with CAs using the ACME protocol. It doesn’t necessarily have to be a public, trusted CA like Let’s Encrypt. You could operate your own private CA using software like step. But if you want one command to issue an untrusted, self-signed certificate, without any other infrastructure, that’s not what Certbot is for.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.