Letsencrypt in a Virtualbox Virtual machine

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alancameron.net

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:Virtualbox

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): n/a

Is there any way to use Letsencrypt in a virtual machine behind a NAT NIC with no access from the internet from outside the LAN.

1 Like

Seems like you’re already in a secure environment. Would you be opposed to just using a self-signed certificate? If you really want to use a certificate signed by Let’s Encrypt, you could probably use dns-01 challenges that require adding TXT records to the dns zone for alancameron.net (assuming there’s a system that will answer public dns inquiries for the domain). I’m also assuming that this system will have a domain name associated with it. I can already see alancameron.net, so I’m assuming that is not the system for which you intend to get a certificate.

1 Like

Thanks for your reply. I have tried to replicate my domain in a Virtual Machine running in VirtualBox and found it very difficult to understand the requirements. I have the self-signed certificate installed but any attempt to access requires some form of exception to enable the browser/s to see the pages. They all seem to class the website as “insecure”. Drilling down into the reason for the status seems to indicate that there is no CA authority for the self-signed certificate to be trusted.
NB Browser/s means Edge, ChromeEdge, Chrome and FireFox.
As I highlighted in my question external access is prohibited both by the nature of my network setup, cable modem -> router -> unique LAN address with a NIC set to provide NAT facilities. So the DNS part of your response is not applicable. The system will use alancameron.test and that domain will never be registered anywhere other than in my LAN. This is for development purposes to replicate a system which will rely on secure layer interfacing to perform it’s primary function of replacing usename/password processing.
Perhaps I should have put this in a suggested feature request. I envisage a Letsencrypt processsor in a virtual machine which acts like letsencrypt.org but only locally.

Hi @macnala

you can’t create a certificate with such a local name.

A worldwide unique, public visible domain name is required. And every CA (like Letsencrypt) is only allowed to create a certificate if it is possible to check you are the domain owner.

So your setup can’t work.

It’s not the “virtual box”, it’s the private domain name.

Please read

2 Likes

Check one of these projects (do you want Go or python?):

2 Likes

Neither. According to other relies I cannot do it without exposing the domain to the internet. That is a non starter so I will have to find and alternative.

The suggestions from @9peppe allow you to run your own CA inside your network. Your entire network can be air-gapped at that point.

1 Like

I have reread 9peppe’s post again and it was headed with “do you want python or Go”. Neither of which I have any knowledge, so I rejected the proposals.
Do I understand correctly that you need to write your application in Python or Go to use either of them. You will understand me better if you realise I am a newcomer to the world of non MS systems. I am trying to get to grips with Ubuntu and it is hard for someone like me. Every one bombards me with new systems or languages and commands which I have to then try to learn from scratch. My requirements are simple I need a testing environment which replicates what will happen when I finally transfer it to my domain server.
Are there any tutorials on these ways of running a “private” CA to support a local VM as yet unwritten but targeted at PHP.

1 Like

Then your solution is simple: Use a subdomain of your existing domain. But it must be a public checkable domain name, not something like .test.

Your current setup is wrong.

And an own private CA is completeley wrong.

2 Likes

@JuergenAuer

I think you’re suggesting something similar to what I previously suggested:

Given the requirement of:

This would seem to require another machine to respond to the dns queries. Correct me if I’m wrong here.

1 Like

@JuwergenAuer
If by setting up a subdomain you mean changing my existing setup alancameron.net then the problem becomes worse I would then need a sub-domain in my Virtual Machine but to do that you need another sub-sub domain and problem repeats ad-absurdum. NO does not compute!!
Your comment about my current setup being wrong I find strange. Have you got some way of reading my mind. I think NOT.
The comment about an own private CA being completely wrong warrants investigation and i will try contacting the authors of picoca and nanoca for their explanations.

I have given up entirely on my thought about Let’sencrypt as a solution.

That’s wrong. You can use your main domain. A subdomain ( something like develop.yourdomain.com) is only one option. But if you have a completely isolated system, you can use your main domain (and the main productive certificate) with that isolated system.

There are a lot of developers with the same problem. No one uses an own CA to resolve that simple problem.

  • use your main domain with an isolated system (certificate created via dns validation)
  • use a developer subdomain
  • use an additional port on your main system

But you need a public suffix, not *.test. No public CA is allowed to create a certificate with the suffix .test. So your general setup

is never possible.

1 Like