Obtain a certificate for a website wich is accessible only by intranet


#1

Hello,

I would like to obtain a certificate for a website which is accessible only by intranet, in this post (message 52) SChoen recommended me to use either the client “Neilpang
/ acme.sh” or “Srvrco / getssl”. I started by reading the “Neilpang / acme.sh” documentation, so according to the documentation, I can use the “Automatic DNS API integration” method to obtain a certificate if my DNS provider supports API access. My question is:
Does “DNS provider” mean our Internet service provider ? if so, our Internet service provider is: “Algerian Academic Research Network” (also known as ‘RNA’)
and this one doesn’t appear in the proposed list , so I conclude that I must use the “the DNS manual mode” am I right ?

Thanks in advance for your help


#2

Your DNS provider is whoever runs the nameservers for the domains for which you want a certificate.

This usually appears near the bottom of a whois query for a domain, or you can do a lookup for the domain’s NS records:

$ dig +noall +answer google.com ns
google.com.             83207   IN      NS      ns4.google.com.
google.com.             83207   IN      NS      ns3.google.com.
google.com.             83207   IN      NS      ns2.google.com.
google.com.             83207   IN      NS      ns1.google.com.

In this case, Google hosts its own nameservers and is therefore their own DNS provider.

Whereas letsencrypt.org's DNS provider is Akamai:

$ dig +noall +answer letsencrypt.org ns
letsencrypt.org.        600     IN      NS      a1-16.akam.net.
letsencrypt.org.        600     IN      NS      a9-67.akam.net.
letsencrypt.org.        600     IN      NS      a11-67.akam.net.
letsencrypt.org.        600     IN      NS      a14-64.akam.net.
letsencrypt.org.        600     IN      NS      a18-65.akam.net.
letsencrypt.org.        600     IN      NS      a20-66.akam.net.

#3

Thank you for your reply
We have in the same server two websites “elearning.univ-bejaia.dz” and “logitheque.univ-bejaia.dz” I want to get a certificate for the second one “logitheque.univ-bejaia.dz” because the first one has already a certificate and it is accessible via the internet. Here is the result when I ran the command “dig + noall + answer mydomainname ns” :

And here is the result when I ran the command “dig mydomainname ANY +noall +answer” :


x.x.x.x is the server local IP address


#4

Your nameservers are ns1.univ-bejaia.dz and ns2.univ-bejaia.dz.

Unless these nameservers support updating via RFC2136 or via PowerDNS API (if they are PowerDNS nameservers), then it is unlikely that you would be able to setup automatic validation with them, and you’d be stuck with the manual plugin.

You would need to find out from whoever runs those nameservers.


#5

How can I find out from whoever runs those nameservers ?

Suppose they are PowerDNS nameservers, how can I obtain a certificate with automatic DNS API integration, It’s not explained in the documentation,


#6

Maybe it is the information technology department of the Université de Béjaïa?

For acme.sh you can see the section at


#7

We have at the university an internal DNS server . After creating a virtual host for the domain “logitheque.univ-bejaia.dz” the DNS manager added this domain to the internal DNS. So if I have understood correctly, I have to ask the DNS manager if API access is suported (API supported by the acme.sh script) if yes, the DNS manager will have to make the necessary configurations to allow automatic addition of the records in the DNS. If not, with the manual method, the addition of the records must be done manually after each renewal of the certificate
am I right?


#8

Yes, that’s a good understanding.

You also have the advanced option of delegating the _acme-challenge records of your subdomains to a public DNS provider like Cloudflare (or anybody else who has an API), using CNAME or NS records. This would enable you to automate acme.sh.


#9

Ok, thank you for these information, it’s clearer to me now


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.