I'm trying to generate a wildcard Let's Encrypt certificate for an Azure Private DNS zone. This is so some internal sites can have a valid SSL certificate, but cannot be accessed from the public internet.
The domain I was trying to issue a certificate for was
internal.not-the-real-domain.com is my azure private DNS zone.
I ran this command:
certbot certonly --manual --manual-auth-hook .\Invoke-AuthHook.ps1 --manual-cleanup-hook .\Invoke-AuthCleanup.ps1 --noninteractive --agree-tos --email email@example.com -d *.internal.not-the-real-domain.com
Invoke-AuthHook.ps1 script looks like:
Import-Module Az.PrivateDns New-AzPrivateDnsRecordSet ` -ZoneName 'internal.not-the-real-domain.com' ` -ResourceGroupName 'a-resource-group' ` -RecordType TXT ` -Ttl 300 ` -Name '_acme-challenge' ` -Overwrite ` -PrivateDnsRecord @(New-AzPrivateDnsRecordConfig -Value $env:CERTBOT_VALIDATION)
Invoke-AuthCleaup.ps1 script looks like:
Import-Module Az.PrivateDns Remove-AzPrivateDnsRecordSet ` -ZoneName 'internal.not-the-real-domain.com' ` -ResourceGroupName 'a-resource-group' ` -RecordType TXT ` -Name '_acme-challenge'
It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: Domain: internal.not-the-real-domain.com Type: dns Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.internal.not-the-real-domain.com - check that a DNS record exists for this domain
Analysing the traffic with Wireshark, I can see that there isn't actually a DNS lookup made from certbot for that record. Does this mean it's actually done from a different server in a Let's Encrypt data center somewhere? If so, is there any guidance on using Let's Encrypt for this kind of scenario, or do I have to use a self-signed certificate instead?
The version of my client is 1.22.0