My use case is a server behind NAT. I had successfully generated and installed a certificate for https://jimmy.macewan.nz.
Unfortunately I can’t test this from within my private IP network. After reading this thread I set up local.macewan.nz to resolve to 192.168.1.71 (certbot was at least explicit about not allowing IP addresses.)
I then tried to generate a new certificate using the SAN capability (by using what appears to be the otherwise undocumented mechanism of multiple -d example.com type domains) but CertBot repeatedly complained that local.macewan.nz did not resolve. It did, but it appears that resolving to a private IP is the same thing as not resolving. It would be nice if the error was a little more helpful, if this is the case.
So I changed the A RR for local.macewan.nz to point to the same public IP address as jimmy.macewan.nz.
certbot certonly --webroot --webroot-path /path/obfuscated -d jimmy.macewan.nz -d local.macewan.nz
That worked, and a certificate was generated.
I then changed local.macewan.nz’s A RR back to resolve to 192.168.1.71
And so now I can make uninterrupted access to jimmy locally using local.macewan.nz. Way too much effort, but I wanted to know it could be done.
This will suffice for the next 90 days until I have to renew the certificate… and that’s something I’m not looking forward to. Taking the server down for renewal is bad enough, but messing with the DNS is worse.
Could LE be a bit more tolerant of FQDN that resolve to private IP addresses, at least in the SAN?