Early in my Let’s Encrypt journey I added a domain with a private IP address to a cert that had several other domains.
So one certificate covers these domains: host1.example.com (public IP address) host2.example.com (public IP address) host3.example.com (public IP address) host4.example.com (private IP address: 172.31.X.Y)
This has been working to provide https access for an internal component.
But I have become aware that this is non-standard, and possibly, impossible.
Is it supposed to work? How alarmed should I be about this usage?
(I checked some other topics and didn’t find this specific scenario)
Thanks!
Names in a cert that resolve to private IP addresses only matter if you’re trying to use a challenge type that requires the Let’s Encrypt server to actually reach that hostname (http-01 or any of the tls-* ones). But if you use dns-01, the IP that names resolve to is irrelevant as long as the Let’s Encrypt servers can reach your authoritative DNS servers.
The final cert knows nothing about the IP addresses a name resolves to. You can freely change the IPs that the names resolve to even after you’re using the cert.