I’m working on setting up a new ticketing system and the last step is to set up the certificate. This site DOES NOT face the outside and is only accessible on the inside network. When using CertBot to set up the cert, I get the below error:
It produced this output:
Challenge failed for domain fmr.bizjet.com
http-01 challenge for fmr.bizjet.com
cleaning up challenges
Some challenges have failed
IMPORTANT NOTES
The following errors were reported by the server:
Domain: fmr.bizjet.com
Type: connection
Detail: dns :: DNS problem: NXDOMAIN looking up A for fmr.bizjet.com
My web server is (include version): Apache httpd-2.4.6-89.el7.centos.1.x86_64
The operating system my web server runs on is (include version):CentOS 7 centos-release-7-6.1810.2.el7.centos.x86_64
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): VMWare to remote in to server
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): CertBot 0.36.0
Hello @JuergenAuer! Thank you for the quick response.
This particular site does not face externally at all so any site on the internet, unless it is hosted here locally, should not be able to see it. I have the DNS A record set up on our 2016 server, which resolves correctly internally.
I will try switching to dns-01 validation and let you know!
I did. I copied the name that it requested, _acme-challenge.fmr.bizjet.com, and gave it the value it requested at the time. When creating this, should I wait a few minutes before pressing Enter to continue on with the test?
Now let me just state that none of our onsite DNS records are open to the public, to the best of my knowledge.
That's correct. But the ip address is static, so you don't need to update your dns setup in 60 - 85 days.
If you use dns-01 validation, you must update your TXT entry. And if you have a certificate that expires - and that needs 20 days -> your certificate is dead.
There is a further option where you can create a CNAME entry for the _acme-challenge subdomain, pointed at a resource in a different DNS zone. That CNAME entry only has to be created once (although it has to continue to exist indefinitely), and then you can use records in the other DNS zone to prove your control over the original name.
So for example, you could create a DNS record
_acme-challenge.fmr.bizjet.com. IN CNAME _acme-challenge.someotherdomain.example.com.
and
_acme-challenge.www.fmr.bizjet.com. IN CNAME _acme-challenge.someotherdomain.example.com.
Once these are in place, you can obtain certificates for fmr.bizjet.com and www.fmr.bizjet.com on an ongoing basis by updating DNS records in someotherdomain.example.com. Several Let’s Encrypt clients have support for this mode.
The only consequence of creating this CNAME record is allowing whoever controls the other domain to obtain certificates for the original domain. If your company wants to have control of that, they could register something like bizjetcom-acmevalidation.net themselves but host it some on external infrastructure for which they can allow you to have a DNS API key, and then they can refrain from using that other domain for any other purpose. In that case, they still have control but they can let you issue your certificates whenever you want without actively involving them every time.