Use let´s encrypt for intranet domain

MrNico · 2019-02-11 20:36:12 UTC

Hello, I need to know if the certificates generated by lets encript can be used in an easy way for my internal domains.
Currently I have a windows DNS server that is my internal DNS, and I want to know if I can use it to “validate” domains not valid on the Internet, but if they are in my internal DNS.

My domain is: intranet.domain.com

I ran this command: /certbot-auto --apache

It produced this output:

My web server is (include version): Apache 2.2.15-69

The operating system my web server runs on is (include version): Redhat 6.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

JuergenAuer · 2019-02-11 20:39:04 UTC

Hi @MrNico

no, this isn’t possible. If you want a certificate signed by a public CA, that must be a public visible and worldwide unique domain name.

Not a private name.

mnordhoff · 2019-02-11 21:26:02 UTC

However, it can be a public, registered domain name that you only use on your intranet, as long as the DNS works externally.

rg305 · 2019-02-12 00:42:41 UTC

This leaves much to the imagination and interpretation of the reader:

From what I read, you want to obtain a certificate for a subdomain of a real Internet domain.
But the subdomain doesn’t exist anywhere on the Internet (only within your private network).
If that is the case, you can (but only with a wildcard cert - which requires DNS validation).

[the key element being “a subdomain of a real Internet domain”]
If I misread it, then please add some more detail/clarity to the problem/request.

MrNico · 2019-02-12 02:51:52 UTC

Yes, something like this is what I have, a domain valid on the internet and I need to create another subdomain valid only for my internal network. My internal DNS (windows 2012 R2) would be responsible for validating my intranet.mydomain.com website. Could you give me more details if it is possible to use a LE certificate? thanks!

rg305 · 2019-02-12 03:00:11 UTC

Yes, you can obtain an LE cert for any real domain or subdomain of any real domain.
Since the actual subdomain doesn’t exist on the Internet, the only validation method available is DNS.
You can obtain practically any possible real name and wildcards to cover entire subdomains (of real domains) through DNS validation.

You should look for an ACME client that allows for DNS validations and that also works with your Internet DNS provider and can run on any of your internal systems (as a cert distribution point - if you need many certs) - even directly on an IIS server or Windows DNS server.

If your Internet DNS provider is not supported via API/plugin, or to just simplify the initial TEST, you can get a cert by manually creating the validation TXT records in the zone or by using an online free service site (like: https://www.sslforfree.com/).
[automation is highly preferred]

danb35 · 2019-02-12 03:01:37 UTC

If you’re using DNS validation, it doesn’t have to be a wildcard cert. You might want it to be, but it isn’t inherently required.

To use DNS validation, you’ll need to have public-facing DNS servers that will serve TXT records for _acme-challenge.yourdomain–it isn’t enough to serve those records to your LAN. But given that, and the ability to update those DNS records automatically, this can work very well (it’s what I do for my internal hosts on my home network).

JuergenAuer · 2019-02-12 08:47:26 UTC

Your “internal DNS” must be public visible, so Letsencrypt is able to check a dns entry.

Something like

D:\temp>nslookup -type=TXT _acme-challenge.yourSubdomain.yourdomain.com


_acme-challenge.yourSubdomain.yourdomain.com =

        "LJWtQAv_5lFCjGdssk4B2pyYoan8xRT7P8t1Bhvy4VU"

MrNico · 2019-02-12 15:39:57 UTC

I understand, I also have an external DNS that is the one we manage for our valid domains on the internet. Could I generate a TXT record in the domain “mydomain.com” to be validated by LE?
How can I generate that code that I must enter in the TXT register? And finally, will I have to do the same work every 90 days?

rg305 · 2019-02-12 16:33:20 UTC

Yes, but such a record would NOT cover {any-name}.SUBDOMAIN.yourdomain.com.

The whole point of LE is automation.
So, you should look for a combination of client, API, and DNS provider, implementation that can be fully automated.

Yes, the work will need to be done; But hopefully it will be fully automated and “you” won’t have to do anything (manually).