San certificate fake dns entries

I am currently using the win-simple client in Window server for having certs for Exchange and Skype for Business.
It’s working fine, except that I need to create fake dns records for the validation of internal servers, pointing to the web server public Ip I use with the Letsencrypt-win-simple.
If I have pointing to I am obliged to create a fake dns record sip.lab in order for the client to be able to validate the .lab record.
After the certificate creation I can remove those dns entries safely. But If I forget it becomes a problem in my network dns resolutions!

The fact is that I can only validate webservers on port 80, but my services are on other ports, and not all of them are public, but they require public validation. I had posted on the Microsoft forum for Exchange certificates.

Can’t we add San entries that don’t require validation?

Why would you think it would be ok to add SAN entries that were not validated? This is the same as asking a CA to provide you with a certificate for any domain you ask for without checking to see if you own that domain. Can you imagine how damaging that would be to internet security?

What you’re asking for is not possible, the CA/Browser Forum baseline requirements explicitly forbid it, and for exceptionally good reason. It sounds like you might want to consider an internal CA for your internal services instead of a public CA like Let’s Encrypt.

Hi, thanks for your reply, but I have mentioned the forum on Microsoft because it makes clear that I cannot use a local CA.
I am gonna link this post to that forum, for cross-reference.

Hi @lonbluster,

I looked at that thread briefly and didn’t really understand the reason why you can’t use an internal CA. It seems to me that many organizations successfully use an internal CA.

Let’s Encrypt has a different validation method available that doesn’t require a direct inbound connection (but does still require that you have control over the DNS for the domain name). This is called the DNS-01 challenge and it requires you to create a DNS TXT record for _acme-challenge as a subdomain of your domain name. This TXT record isn’t used for any other purpose so it doesn’t cause any harm if you leave it in place (nor does it contain anything secret).

I don’t know offhand if any of the Windows clients currently support DNS-01 validation.

1 Like

Well, I just tried once more with a local CA, in the Exchange CP; if I assign the IIS service to the internal Cert, the Letsencrypt cert will not be used anylonger for IIS.

Do you mind to rephrase?

With the DNS method, if you want a certificate for, you would be asked to create a DNS TXT record for

Hi Motoko,

Do you have any guide? what is the value of the txt record? Will it work with letsencrypt-win-simple?

The value of the record will be a generated string that will change every time you need to validate. I don’t believe letsencrypt-win-simple supports the dns-01 challenge currently.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.