Let's encrypt for internal devices

I have a domain that I host on Google Domains. I have it mainly so I can have my own exchange webmail, which is hosted at Godaddy. I have a home network, which I have several items running, only one of which has a self-signed cert. Prior to that one app, I never cared if I had an internal cert, but since I have a domain, I would like to create a Let's Encrypt cert to use on that one internal app. Can I do this? The dns record is setup for Microsoft Exchange and it took me a bit to get it setup correctly. Do I need to adjust the DNS record to point to my home network? Can I just create the Let's Encrypt cert on the machine that I have running the app? Are there any changes that I would need to make to my home network to make this work?



1 Like

You can create the certificate on any network or machine and install it locally.

You have two options to validate the ACME challenge:

  • HTTP-01 validation - public DNS must point to your network, and you must have gateway/firewall rules that route external requests to port-80 of the machine requesting the certificate.

  • DNS-01 validation - public DNS must answer a challenge or delegate to another public DNS server that can answer the challenge. This does not have to touch your network.

There technically is a third option, TLS-ALPN-01, but few software supports it and it's really a variant of HTTP-01.

Most people find DNS-01 the easiest way to handle internal networks. I can be a bit difficult to automate renewals (using acme-dns helps!), but is the most straightforward as HTTP-01 requires a lot of firewall rules and you may need to run different internal and external DNS servers.

Some people will obtain a certificate via HTTP-01 on an external webserver, and then copy it onto their home network and change DNS to point to the home network (unless your internal network has it's own DNS resolver that will ignore public DNS and just return the LAN addresses).


Also look at these previous topics

  1. LE usage recommendations for data center equipment
  2. SSL certificate for a internal-only domain that's not on the Internet?
  3. Let's Encrypt for Internal-Only Web Management
  4. Trusted Self-Signed Certificates for variable IP addresses - #2 by danb35
  5. All authorizations were not finalized by the CA - #3 by Nummer378
  6. Issuing Certificates to Internal Network - #5 by danb35

DNS-01 appears to be an option for me. Is there documentation on how to setup my dns record and to to accomplish this?



1 Like

Try looking here: Challenge Types - Let's Encrypt


You'll generally want to use an ACME client that has built-in support or a plugin for your DNS provider. Then the client will handle the DNS record manipulation on your behalf. It's something that will need to be done for each renewal roughly every 60-90 days. While it's possible to create the records manually, most folks find it tedious.


IMHO, the best option is to use acme-dns (github) -- which has full documentation on setup and renewals. It's advantages are described here: A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation | Electronic Frontier Foundation

A quick overview however, when using this solution:

  • On your normal DNS server, you delegate the DNS-01 challenge to a acme-dns server.
  • The acme-dns server is only responsible for responding to LetsEncrypt challenges, and the credentials are per-domain. This insulates your normal DNS system from any security issues and minimizes the triage needed if your systems are compromised.
  • The acme-dns server only needs to run while completing LetsEncrypt challenges, so it can be enabled/disabled by pre/post hooks (as can the firewall rules).

And then there is topic on the Let's Encrypt community

1 Like

Also @jsha has pointed out

1 Like

Hi! I have an interest and a question.
Is the domain you @rosede want to host internally handeled by GoDaddy or Google domains? It will make a difference.


@rosede so are you basically running a windows server with MS exchange at home? For overall ease of use and DNS support, try https://certifytheweb.com (which is the app I develop), or perhaps look at win-acme to Posh-ACME scripts.

The basic process (Requesting a Certificate | Certify The Web Docs) in Certify The Web is:

  • install the app on your exchange server, create a new managed certificate, add your domains+subdomains you need for your cert (e.g. webmail.yourdomain.com etc)
  • under Authorization, choose dns-01 instead of http, select GoDaddy as the DNS Update method, add your credentials to access the GoDaddy API. GoDaddy DNS | Certify The Web Docs
  • Click "Test" to check the app can write to GoDaddy DNS for you
  • Click "Request Certificate" to order a new cert. If that completes OK you now have a certificate in your machine certificate store and you can select that in apps etc.

If you want to automate applying the cert to Exchange there is a basic Deployment Task that should help (Tasks > Add Deployment Task > Deploy to MS Exchange).

Depending on your setup there may be an IIS site for webmail (this will get automatically updated based on matching hostnames in the IIS bindings) and probably an IMAP service etc (which the deployment task will update).



I created my domain so I could have a hosted MS exchange. I wanted the benefits of using exchange, which is hosted on Godaddy. However, the dns is hosted at Google Domains. Google provided more benefits than Godaddy and was cheaper than Godaddy when I renewed it.

I have a hosted Bitwarden that I currently use a self-signed cert, but I would like to have a cert that is of my own domain, not just a self-signed cert. I had actually tried to create a mini internal CA just so I could sign a cert and use it internally, but I wasn't very successful. I know Bitwarden can use Let's Encrypt, but I'm just not sure about using it with my domain being hosted on Google and my Bitwarden being internal to my personal network.


1 Like

Can you use a unique (and unused) subdomain name for your internal network system?
If so, then you can obtain a cert for it via several ways:

  • HTTP authentication [if your internal system can be reached via HTTP from the Internet]
  • DNS authentication [if you use an ACME client that can work with your DSP]

I do have an internal domain that I use that ends with a .home. So, you're telling me that I can setup a Let's Encrypt with an internal .home domain?

I was ready over the Bitwarden documentation, and it talks about using certbot. Is that an ACME client? Will that work for my internal home network?


1 Like

No, the home TLD is not a public TLD so cannot be used to get certificates by public CAs such as LE.

Note that the home TLD is not registered as a special-use domain name and I would not recommend using such a TLD in a local/private setting. E.g., there already exists a TLD homes. There is no guarantee there never will be a publicly registered home gTLD in the future. If the home gTLD would come into existance in the future, your local use of the home TLD would conflict with public domains with the home TLD.


That's what I thought, that was why I was thinking of using the domain that I own and that I have hosted at Google domains.

I'm reading this document. Challenge Types

I'm pretty confident that my ISP blocks port 80. I know they block port 25, so I'm pretty certain that they would block port 80 as well. So, that leaves me with DNS-01, however, it talks about needing a DNS provider that has an API to make renewing automatic. I see Google Cloud on the list, but I don't think that is the same as Google Domains, which is where my domain is at.

I have to give this some thought on how to proceed. My guess is it may be more work than what I want to do. I don't HAVE to use a named cert. The self signed cert works, its just that I wanted to. I own a domain and I wanted to use that domain and have the cert reflect that domain, but this appears to be more than what I want to deal with at this time.

Thank you to all who responded. You really helped and I learned a great deal.

Thank you.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.