Local Domain certs with Let's Encrypt CA

I have a publicly accessible domain name that can be resolved by DNS on the broad internet (mypublicdomain.com). I am interested in getting certs for many services that are internal to my LAN, for which I have a local domain not accessible outside of my LAN (inernal.local is the domain, service.internal.local is an example of a local service).

Obviously I can be my own CA and sign all of my local certs, but I want new devices to be able to show up to my LAN and access those internal services without having to accept any certificates manually (due to the untrusted CA).

I understand that LE needs a domain to be publicly accessible to issue a cert, because you need to prove ownership. However, could I do something like: get an LE cert for mypublicdomain.com via a DNS-01 challenge with a SAN entry of *.internal.local?

All names in the certificate (both Subject and SAN, both FQDN and wildcard) need to be publicly accessible and able to be validated by Let's Encrypt.

Instead, you can get a wildcard cert for *.mypublicdomain.com, and use your internal DNS server to advertise your private local services as service.mypublicdomain.com, instead of service.internal.local.

5 Likes

Well that makes complete sense and is also a bummer, since my external domain is long and a pain to type. My local domain was made to be convenient, easy to remember, and quick to type. So it sounds like I have to make a choice: certs that just work with no intervention or the ease/ convenience of my local domain names.

As a separate objective, I was hoping to implement some TLS certs on the networks of some family members, but they don't have internal DNS forwarding services running (rather, just simple unmodified routers from their ISPs). In their case, it doesn't sound like your solution would be an option, right? At least, not without creating a new DNS forwarding service on their network?

As a third option:

  • You could pay for another [much shorter] domain solely for this "internal use" purpose
3 Likes

What do I look like, a millionaire!? Am I sitting over here with my top hat and monocle!?

Jk, that is certainly an option as well. Although, it's hard to beat the brevity of my internal domain and I've already gotten family/guests trained on those urls. I think I'm going to have to stick with the local domain, unfortunately

1 Like

You can create a very long-lived and self-signed cert [with any local name(s) of your choosing].
And then simply have all your clients manually trust that single cert [only a onetime thing for them].

2 Likes

Rather than a truly self-signed cert, a better way to go might be to create a CA cert, and use that to issue a cert for your local domain. Then trust the CA cert on the client machines. I suggest that because, in my experience, it's hard to get browsers to not gripe about self-signed certs.

5 Likes

It may be a bit more work but well worth the effort [indeed].

1 Like

The obvious next step would be:

...but it might be overkill for this situation.

4 Likes

Definitely overkill.
But a very nice learning opportunity - if one should be into such things.

1 Like

Yep, I use my own CA for self signing, then add that CA to my devices so I can trust additional certs I make. The only problem there is the iPhone on my home network that doesn't let me add trusted CAs. I've got a separate forum thread on Apple's forum about that, but no one seems to know how to help me. I think you used to be able to do it on iPhones, but none of the guides work with the current OS. But I just trust each individual cert on the iPhone.

If anyone here has recent experience getting iPhones to trust CAs I'd love to hear about it!

I'm also skeptical I can get my smart TV to trust my CA. I haven't tried it yet, but we're going to have that adventure at some point when I transition my plex to SSL with my self signed cert

2 Likes

:wink:

2 Likes

I have done that, but it is a lot of effort. I am assuming you're not interested in doing a Mobile Device Management solution for those iPhones; THAT is a pile of work. We were able to deploy a open-source MDM solution (we were under time constraints that prevented procuring a commercial MDM service) but you still need an Apple Developer account to get the necessary certificates to make an MDM work (and you still need a publicly-trusted certificate ON the MDM server).

However, it seems like you CAN still deploy a configuration profile to an iPhone manually even without a MDM. A configuration profile is a XML file with settings in it and some of those settings can be certificates to trust. This Apple support document details the steps to install a configuration profile here: Install a configuration profile on your iPhone or iPad - Apple Support

This is still not for the faint of heart; honestly, it would probably be easier to change all of your names to public ones that you can get certificates for from LE.

5 Likes

I use a slightly different method.

I get specific certificates (e.g. foo.example.com), and complete the challenge via dns-01. Then I use public or local dns to handle the mappings.

If I were to use a wildcard, I suggest using a dedicated namespace like ‘*.services.example.com’ to isolate the local services from the root domain. The reason for that is to ensure a compromised key or service on the local system can not be used to affect the domains on the public internet.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.