Is it possible to issue a certificate to a domain name that resolves to


I couldn’t find this in the docs, and I only saw questions about the IPs instead of a domain name.

I have a domain for testing (ie that resolves in public DNS to I would prefer to use letsencrypt instead of the a self-signed because the production domain is using letsencrypt and build tests could check the certs easier.

I tried using the manual plugin, but kept generating an unknownHost error.

doing some digging between the source, --verbose, and pdb, it looks like the challenge is not being requested by the client, but is being proxied to, which would mean non-public domain names cannot be signed.

Doing a bit more reading, it seems that there is a dns-01 verification challenge being developed that could work… but my only shortterm solution would be to issue a cert for the domain on a public IP, then change the dns.


dns-01 should work in this scenario. http-01 and tls-sni-01 need the domain to be publicly accessible in order for the verification to succeed.

The official client doesn’t support dns-01 yet, but some others do, for example



I found the easiest way was to set dns for to a public server; run the standard client on that (e.g. http-01 verification), then copy the certs onto the local machine and update dns.

Using dns-01 with another client would be faster and less work, but this really wasn’t much work.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.