Using certbot for local certs


#1

I’m trying to use certbot for the first time to create signed certificates for pages on my local home server. My server is my DNS server, pointing to OpenDNS, and I’ve edited dnsmasq.conf for the TXT file. I suspect I’m entering it incorrectly:

#Change the following lines to enable dnsmasq to serve TXT records.
#These are used for things like SPF and zeroconf. (Note that the
#domain-name expansion done for SRV records _does_not
#occur for TXT records.)

#Example SPF.
#txt-record=example.com,“v=spf1 a -all”

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
> txt-record=_acme-challenge,"zxrQz_bRJlfO2psXSWraPHXT70Rm1K-clw72zEwYhb8"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *starfleet.org (local domain)

I ran this command: certbot --text --agree-tos --email t******@*****m -d hda.starfleet.org --manual --preferred-challenges dns --expand --renew-by-default --manual-public-ip-logging-ok certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for hda.starfleet.org


Please deploy a DNS TXT record under the name
_acme-challenge.hda.starfleet.org with the following value:

zxrQz_bRJlfO2psXSWraPHXT70Rm1K-clw72zEwYhb8

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. hda.starfleet.org (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hda.starfleet.org

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: hda.starfleet.org
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.hda.starfleet.org

My web server is (include version): Fedora 27

The operating system my web server runs on is (include version): Fedora 27

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, Amahi 11


#2

Hi @tamorgen

the domain starfleet.org has a public A-record.

D:\temp>nslookup starfleet.org.
Name: starfleet.org
Address: 76.74.252.190

Are you the owner of this domain? If no, you can’t get a certificate.

If you want a certificate, you must be the public / unique owner of this domain.

And the dns entry

_acme-challenge.hda.starfleet.org

must be public visible, so Letsencryt (or another CA) is able to check it.

Checking

D:\temp>nslookup -type=txt _acme-challenge.starfleet.org.
*** _acme-challenge.starfleet.org. wurde von fritz.box nicht gefunden: Non-existent domain.


#3

Hi Juergen,
I suspected that it might be doing that. Is there a method that would allow me to create a certificate for a domain that’s not internet accessible? My server hosts a local domain, and the sites are for intranet use only.


#4

No, this isn’t possible. But this isn’t a Letsencrypt limitation. It’s a limitation of the Public Key infrastructure, used with certificates.

If you have a private infrastructure, then create a self signed certificate with a long time (10 - 30 years) and import this in your browser.


#5

Or set up your own Private Certificate Authority using OpenSSL.


#6

But you can buy a domain name, use DNS validation to issue certificates, and not put public A and AAAA records in the public DNS.


#7

Or get a free domain name: http://www.dot.tk/en/index.html or for example https://www.freenom.com/en/freeandpaiddomains.html