SSL Certificate for Intranet

Dear community,

I want to issue a SSL certificate for an Intranet server which is only accessible from the internal network.

The domain name was changed to DOMAIN
The key was changed to KEY
The acutal server IP was changed to IP

My domain is: an internal LAN server

I ran this command: see description above

It produced this output: see description above

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2019

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I used win acmp for issuing the certificate and it seemed to work out well, but then came up with the following error:

[DBUG] Scanning IIS site bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering by site(s) [3]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Checking [IIS] Intranet, (any host)
[VERB] Creating certificate order for hosts: [“DOMAIN”]
[VERB] Loading ACME account signer…
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[VERB] Constructing ACME protocol client…
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/81633384/2788681112 created
[VERB] Handle authorization 1/2
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3580772584
[VERB] Request completed with status OK
[INFO] Authorize identifier: DOMAIN
[VERB] Challenge types available: [“http-01”, “dns-01”, “tls-alpn-01”]
[INFO] Authorizing DOMAIN using dns-01 validation (Manual)

Domain: DOMAIN
Record: _acme-challenge.DOMAIN
Type: TXT
Content: “KEY”
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after you’ve created and verified the record

[VERB] Querying server IP about com
[DBUG] Querying name servers for com
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192…identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192…identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying IP for name server
[VERB] Name server IP 192… identified
[VERB] Querying server 192… about xxxxx.com
[DBUG] Querying name servers for xxxxx.com
[WARN] Unable to find or contact authoritative name servers for _acme-challenge.DOMAIN: No connection could be established to any of the following name servers: 192… (Udp: 512).
[DBUG] Preliminary validation will now check name server IP
[DBUG] Preliminary validation at IP looks good!
[DBUG] Preliminary validation will now check name server IP
[DBUG] Preliminary validation at IP looks good!
[DBUG] Preliminary validation will now check name server IP
[DBUG] Preliminary validation at IP looks good!
[INFO] Preliminary validation succeeded
[INFO] Answer should now be available at _acme-challenge.DOMAIN
[DBUG] Preliminary validation will now check name server IP
[DBUG] Preliminary validation at IP looks good!
[DBUG] Preliminary validation will now check name server IP
[DBUG] Preliminary validation at IP looks good!
[DBUG] Preliminary validation will now check name server IP
[DBUG] Preliminary validation at IP looks good!
[INFO] Preliminary validation succeeded
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3580772584/hPJSFQ
[VERB] Request completed with status BadRequest
[WARN] First chance error calling into ACME server, retrying with new nonce…
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3580772584/hPJSFQ
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/5)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3580772584/hPJSFQ
[VERB] Request completed with status OK
[EROR] {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.DOMAIN - check that a DNS record exists for this domain”,
“status”: 400
}
[EROR] Authorization result: invalid
[VERB] Starting post-validation cleanup

Domain: DOMAIN
Record: _acme-challenge.DOMAIN
Type: TXT
Content: “KEY”

Thanks in advance for your help!

1 Like

The TXT record might be available from your intranet, but it isn’t from the outside world. Let’s Encrypt needs to validate the record from their servers. It won’t believe anything else.

1 Like

Hi @Pascal_AUT

there

is your domain name, checking your domain, dns1.a1.net is your name server.

There you have to create the correct TXT entry.

1 Like

Thank you for your answer!

Hm I have created an entry in our network-internal DNS Server already and it also seems to find and approve this entry in the preliminary validation. So I need to create two TXT entries - one on dns1.a1.net and one on our internal DNS server?

1 Like

Letsencrypt can't check your internal name server. So that entry isn't relevant / required.

But I don't know how that client works. May be there is an option you can skip that pre-check.

Read

1 Like

Thank you - it worked out perfectly.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.