I have a domain that I host on Google Domains. I have it mainly so I can have my own exchange webmail, which is hosted at Godaddy. I have a home network, which I have several items running, only one of which has a self-signed cert. Prior to that one app, I never cared if I had an internal cert, but since I have a domain, I would like to create a Let's Encrypt cert to use on that one internal app. Can I do this? The dns record is setup for Microsoft Exchange and it took me a bit to get it setup correctly. Do I need to adjust the DNS record to point to my home network? Can I just create the Let's Encrypt cert on the machine that I have running the app? Are there any changes that I would need to make to my home network to make this work?
You can create the certificate on any network or machine and install it locally.
You have two options to validate the ACME challenge:
HTTP-01 validation - public DNS must point to your network, and you must have gateway/firewall rules that route external requests to port-80 of the machine requesting the certificate.
DNS-01 validation - public DNS must answer a challenge or delegate to another public DNS server that can answer the challenge. This does not have to touch your network.
There technically is a third option, TLS-ALPN-01, but few software supports it and it's really a variant of HTTP-01.
Most people find DNS-01 the easiest way to handle internal networks. I can be a bit difficult to automate renewals (using acme-dns helps!), but is the most straightforward as HTTP-01 requires a lot of firewall rules and you may need to run different internal and external DNS servers.
Some people will obtain a certificate via HTTP-01 on an external webserver, and then copy it onto their home network and change DNS to point to the home network (unless your internal network has it's own DNS resolver that will ignore public DNS and just return the LAN addresses).
You'll generally want to use an ACME client that has built-in support or a plugin for your DNS provider. Then the client will handle the DNS record manipulation on your behalf. It's something that will need to be done for each renewal roughly every 60-90 days. While it's possible to create the records manually, most folks find it tedious.
A quick overview however, when using this solution:
On your normal DNS server, you delegate the DNS-01 challenge to a acme-dns server.
The acme-dns server is only responsible for responding to LetsEncrypt challenges, and the credentials are per-domain. This insulates your normal DNS system from any security issues and minimizes the triage needed if your systems are compromised.
The acme-dns server only needs to run while completing LetsEncrypt challenges, so it can be enabled/disabled by pre/post hooks (as can the firewall rules).
@rosede so are you basically running a windows server with MS exchange at home? For overall ease of use and DNS support, try https://certifytheweb.com (which is the app I develop), or perhaps look at win-acme to Posh-ACME scripts.
install the app on your exchange server, create a new managed certificate, add your domains+subdomains you need for your cert (e.g. webmail.yourdomain.com etc)
under Authorization, choose dns-01 instead of http, select GoDaddy as the DNS Update method, add your credentials to access the GoDaddy API. GoDaddy DNS | Certify The Web Docs
Click "Test" to check the app can write to GoDaddy DNS for you
Click "Request Certificate" to order a new cert. If that completes OK you now have a certificate in your machine certificate store and you can select that in apps etc.
If you want to automate applying the cert to Exchange there is a basic Deployment Task that should help (Tasks > Add Deployment Task > Deploy to MS Exchange).
Depending on your setup there may be an IIS site for webmail (this will get automatically updated based on matching hostnames in the IIS bindings) and probably an IMAP service etc (which the deployment task will update).
I created my domain so I could have a hosted MS exchange. I wanted the benefits of using exchange, which is hosted on Godaddy. However, the dns is hosted at Google Domains. Google provided more benefits than Godaddy and was cheaper than Godaddy when I renewed it.
I have a hosted Bitwarden that I currently use a self-signed cert, but I would like to have a cert that is of my own domain, not just a self-signed cert. I had actually tried to create a mini internal CA just so I could sign a cert and use it internally, but I wasn't very successful. I know Bitwarden can use Let's Encrypt, but I'm just not sure about using it with my domain being hosted on Google and my Bitwarden being internal to my personal network.
No, the home TLD is not a public TLD so cannot be used to get certificates by public CAs such as LE.
Note that the home TLD is not registered as a special-use domain name and I would not recommend using such a TLD in a local/private setting. E.g., there already exists a TLD homes. There is no guarantee there never will be a publicly registered home gTLD in the future. If the home gTLD would come into existance in the future, your local use of the home TLD would conflict with public domains with the home TLD.
I'm pretty confident that my ISP blocks port 80. I know they block port 25, so I'm pretty certain that they would block port 80 as well. So, that leaves me with DNS-01, however, it talks about needing a DNS provider that has an API to make renewing automatic. I see Google Cloud on the list, but I don't think that is the same as Google Domains, which is where my domain is at.
I have to give this some thought on how to proceed. My guess is it may be more work than what I want to do. I don't HAVE to use a named cert. The self signed cert works, its just that I wanted to. I own a domain and I wanted to use that domain and have the cert reflect that domain, but this appears to be more than what I want to deal with at this time.
Thank you to all who responded. You really helped and I learned a great deal.