Trying to create cert for internal-only server using DNS-01


#1

A bit of background – This is an internal only webserver. I do have the ability of making DNS changes where I did add the TXT record for this dns name. The DNS record is not viewable via external DNS. Is that an issue?

My domain is: internal.server.com

I ran this command: certbot certonly --manual --preferred-challenges dns-01 -d internal.server.com --dry-run

It produced this output: `
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for atsb-swpc-pup-svr-lx.swpc.noaa.gov


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.internal.server.com with the following value:

A1FLv4YvkWJ_LzBOz3hO4Irz6KCBbk_QUXPKG_SYFG0

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…

Here I run watch -n1 host -t txt _acme-challenge.internal.server.com on a separate terminal…
when it updates, I press ENTER

Cleaning up challenges
Failed authorization procedure. internal.server.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.internal.server.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: internal.server.com
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.internal.server.com`

My web server is (include version): httpd v2.4.6

The operating system my web server runs on is (include version): RHEL 7.5

I can login to a root shell on my machine (yes or no, or I don’t know): Yes


#2

Yes. The record needs to be externally observed, or else your control of the domain cannot be proven.


#3

Thanks for the quick response. So there’s no way of getting a cert for this.


#4

Split-horizon DNS is pretty common in government and would provide a solution - you could add a TXT record into the public view.

If you don’t have that ability, then yeah, probably Let’s Encrypt is not suitable.


#5

(In the situation @_az is referring to, only the TXT record needs to be publicly visible—the A record doesn’t need to be publicly visible.)


#6

And only for long enough to validate the challenge.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.