Is it possible to issue a certificate to a domain name that resolves to 127.0.0.1?

jvanasco · March 18, 2016, 12:44am

I couldn’t find this in the docs, and I only saw questions about the IPs instead of a domain name.

I have a domain for testing (ie dev.example.com) that resolves in public DNS to 127.0.0.1. I would prefer to use letsencrypt instead of the a self-signed because the production domain is using letsencrypt and build tests could check the certs easier.

I tried using the manual plugin, but kept generating an unknownHost error.

doing some digging between the source, --verbose, and pdb, it looks like the challenge is not being requested by the client, but is being proxied to https://acme-v01.api.letsencrypt.org/acme/challenge, which would mean non-public domain names cannot be signed.

Doing a bit more reading, it seems that there is a dns-01 verification challenge being developed that could work… but my only shortterm solution would be to issue a cert for the domain on a public IP, then change the dns.

pfg · March 18, 2016, 5:02am

dns-01 should work in this scenario. http-01 and tls-sni-01 need the domain to be publicly accessible in order for the verification to succeed.

The official client doesn’t support dns-01 yet, but some others do, for example https://github.com/lukas2511/letsencrypt.sh.

jvanasco · March 31, 2016, 8:45pm

Thanks.

I found the easiest way was to set dns for localhost.example.com to a public server; run the standard client on that (e.g. http-01 verification), then copy the certs onto the local machine and update dns.

Using dns-01 with another client would be faster and less work, but this really wasn’t much work.

system · April 30, 2016, 8:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.