I’m working on setting up a new ticketing system and the last step is to set up the certificate. This site DOES NOT face the outside and is only accessible on the inside network. When using CertBot to set up the cert, I get the below error:
This particular site does not face externally at all so any site on the internet, unless it is hosted here locally, should not be able to see it. I have the DNS A record set up on our 2016 server, which resolves correctly internally.
I will try switching to dns-01 validation and let you know!
I did. I copied the name that it requested, _acme-challenge.fmr.bizjet.com, and gave it the value it requested at the time. When creating this, should I wait a few minutes before pressing Enter to continue on with the test?
Now let me just state that none of our onsite DNS records are open to the public, to the best of my knowledge.
There is a further option where you can create a CNAME entry for the _acme-challenge subdomain, pointed at a resource in a different DNS zone. That CNAME entry only has to be created once (although it has to continue to exist indefinitely), and then you can use records in the other DNS zone to prove your control over the original name.
So for example, you could create a DNS record
_acme-challenge.fmr.bizjet.com. IN CNAME _acme-challenge.someotherdomain.example.com.
_acme-challenge.www.fmr.bizjet.com. IN CNAME _acme-challenge.someotherdomain.example.com.
Once these are in place, you can obtain certificates for fmr.bizjet.com and www.fmr.bizjet.com on an ongoing basis by updating DNS records in someotherdomain.example.com. Several Let’s Encrypt clients have support for this mode.
The only consequence of creating this CNAME record is allowing whoever controls the other domain to obtain certificates for the original domain. If your company wants to have control of that, they could register something like bizjetcom-acmevalidation.net themselves but host it some on external infrastructure for which they can allow you to have a DNS API key, and then they can refrain from using that other domain for any other purpose. In that case, they still have control but they can let you issue your certificates whenever you want without actively involving them every time.