Private domains, NAT, and Let's Encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

NULL - I am posting a procedural question

It produced this output:

NULL - I am posting a procedural question

My web server is (include version):

Mix of apache24-2.4.33 and nginx-1.14.0,2

The operating system my web server runs on is (include version):

Mix of FreeBSD 11.1 and Debian 3.16.51-3+deb8u1

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


Greetings. I manage the DNS servers for Several subdomains (e.g., are behind a NAT box and are not visible in the public DNS. Currently, internal hosts use an internal CA or self-signed certs.

About 15 months ago, someone else asked if it was possible to use Let's Encrypt in a similar scenario involving private domains:

At that time, the answer was no. My questions:

  1. Is this still the case (i.e., does Let's Encrypt always require an IP address or DNS RR visible on the public Internet?)?

  2. If Let's Encrypt now does support certs for private hosts and/or domains, is there documentation available for this? I did not see anything in the docs or on this forum but I may have missed it. I did find references to a TXT record using the DNS-01 challenge type to prove domain ownership, but I'm unclear if that applies to NAT'd hosts and domains.

Thanks in advance! This seems as though it's a pretty standard problem.


In short, yes. LE can only issue certificates to public domains.

In order for LE to issue a certificate, you'll need:
A PUBLIC DOMAIN (E.G. NOT .LOCAL, and public resolvable)
A public IP / a set of public reachable DNS server.

You can still obtain a certificate using DNS-01.(especially obtain a wildcard certificate by adding records to root domain)

For internal certificates (.local etc), it's better to use self-signed ca.
For domains that has internal IP (but DNS server can be queried outside the network), you can use DNS-01 validation.

I see that your domain is and they have public queriable DNS servers.

Although it may not be ideal to obtain a certificate via http (since you said it's internal and Nat), you can request wildcard certificates by adding txt records on root domain.

Thank you

1 Like

Thanks for the speedy response. To be sure I understand:

For domains that has internal IP (but DNS server can be queried outside the network), you can use DNS-01 validation.

The "DNS can be queried" part of this means internal subdomains or hosts (i.e, or need to be listed in the public DNS, yes?

If so, that rules out LE for internal use. I use split-brain (aka split-namespace) DNS, where the external nameservers don't know about the internal domains. If this is indeed the case, I can stick with the self-signed CA, but thought I'd check.

Thanks again

Can you create public TXT records for and


This depends on how you want to issue the certificates.

If you want to issue the cert in per host basis, as @mnordhoff's example, LE probably can't issue the certificate. (Since those hosts don't show on queries)

However, what i'm saying is, you can still create a wildcard certificate. (Which covers * and need you to create records on ( (I think this can be archived since your DNS server is responding to queries on your root domain)

Thank you

The hosts don't need A or AAAA records, though.

Thank you both for responding. I certainly can create a record to do a wildcard cert for, and that should cover any internal subdomain or host. True?

If so, is this howto guide for certbot still a valid procedure?

Thanks again!

A wildcard covers one level of subdomains, so * would cover but not for example. That’s true whether they’re internal or external. On the other hand you can get a cert with up to 100 names and any or all of those names can be wildcards, so you could get *, *, * etc if that makes sense for the names you want to use. Of course to get * you need to be able to create a public TXT record for

Thanks for this. Regarding this bit:

I'm unclear if the "something" in your second example is a) a hostname, or b) a sub-subdomain, or c) either a hostname or a domain.

Put another way: For a host with an FQDN of "" and a wildcard cert for *, is it right that the cert wouldn't cover that host?

I think the correct answer here is is that the public TXT record would need to include *, *, *, as you say -- but just checking...

Thanks again.

That's correct, the cert would not cover that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.