Is it possible(/allowed) to use pre-existing LetsEncrypt certificates internally?

capavanni · July 18, 2019, 4:10pm

Preset questions answered below.

Internally I have set up a chat application called Zulip server running an Ubuntu VM which has no external access.

Currently its default is to have a self signed certificates which seems to cause complaints on my browsers even if I trust the certificate in the client machine.

Since LetsEncrypt requires external access for validation (I believe?), that doesn’t seem like an option out of the box, and I’d rather not pay for a certificate for the internal hostname if possible.

Externally we have an AWS Windows server which we’ve been using LetsEncrypt (through the very easy to use https://github.com/PKISharp/win-acme) for a while and it’s been working well. We can also add DNS entries if we wish.

I’m able to set up a certificate for zulip.quantics.co.uk using the AWS machine. Could I then use this certificate locally (assuming when in the LAN the hostname zulip.quantics.co.uk will resolve to the local IP)? And is this allowed, or would it break a TOS?

It looks like Nginx uses SSL certificates in the form of .crt and .key, and when I look at the keys I have available from existing LetsEncrypt certificates I see the following.

ca-foo.quantics.co.uk-crt.der
ca-foo.quantics.co.uk-crt.pem
foo.quantics.co.uk.history.json
foo.quantics.co.uk-all.pfx
foo.quantics.co.uk-chain.pem
foo.quantics.co.uk-crt.der
foo.quantics.co.uk-crt.pem
foo.quantics.co.uk-csr.pem
foo.quantics.co.uk-gen-csr.json
foo.quantics.co.uk-gen-key.json
foo.quantics.co.uk-key.pem

And as you can see in the answers below, trying to convert say the .pfx to a .crt asks for a password which I’m not aware of.

Any thoughts?

My domain is: quantics.co.uk

I ran this command: openssl.exe pkcs12 -in foo.quantics.co.uk-all.pfx -clcerts -nokeys -out foo.quantics.co.uk-all.crt

It produced this output: Enter Import Password:

My web server is (include version): IIS (externally) / Nginx (internally)

The operating system my web server runs on is (include version): Windows (externally) / Ubuntu (internally)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

JuergenAuer · July 18, 2019, 4:14pm

Hi @capavanni

that's possible, no problem.

If you have created a certificate (with http-01 or dns-01 validation), then you can use it: With your external, public visible webserver / mail server etc. And / or with your internal server (no other user).

system · August 17, 2019, 4:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.