Public domain name with private IP address ... should it work?


Early in my Let’s Encrypt journey I added a domain with a private IP address to a cert that had several other domains.
So one certificate covers these domains: (public IP address) (public IP address) (public IP address) (private IP address: 172.31.X.Y)

This has been working to provide https access for an internal component.
But I have become aware that this is non-standard, and possibly, impossible.
Is it supposed to work? How alarmed should I be about this usage?

(I checked some other topics and didn’t find this specific scenario)

Names in a cert that resolve to private IP addresses only matter if you’re trying to use a challenge type that requires the Let’s Encrypt server to actually reach that hostname (http-01 or any of the tls-* ones). But if you use dns-01, the IP that names resolve to is irrelevant as long as the Let’s Encrypt servers can reach your authoritative DNS servers.

The final cert knows nothing about the IP addresses a name resolves to. You can freely change the IPs that the names resolve to even after you’re using the cert.


Yeah if you have a mix of internal and external hosts your best bet is to get a wildcard certificate via the dns-01 challenge/response.

Ok, that makes sense. Thank you very much for your reply!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.