Using Let's Encrypt with Grafana on an internal network

I currently have Grafana running on an internal network and has internal company DNS and would like to use Let’s Encrypt to create a certificate for it. Currently I am using a proxy via http_proxy and https_proxy environment variables and can successfully connect to the Certbot endpoint however i am getting the following error:

Domain: mygrafanadomain.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for mygrafanadomain.com

It should also be noted that the domain is not available in public DNS, only available internally. Can i still use Let’s Encrypt for internal sites using dns-01 challenge or does it still need to be a public domain?

I’m not sure what the exact situation is from your description, but hopefully this helps:

In order to obtain a certificate from any publicly-trusted CA, your domain needs to be a “real” domain, i.e. it must be under an ICANN TLD and you need to own it, or at least be able to modify records or content under the domain. No CA is allowed to issue certificates for “internal”, made-up domains that either don’t exist or are not owned and/or controlled by the entity requesting the certificate.

Assuming you do indeed own the domain in question: With dns-01, the only record that needs to exist in the public DNS is the TXT record used to validate DNS challenges, under the _acme-challenge subdomain. You do not need an A record or anything like that, and the domain does not need to be publicly reachable (that’s only needed for http-01 and tls-sni-01).

1 Like

Thanks for getting back to me, The domain is not available in public DNS, only in or internal network so im assuming Lets Encrypt will not work for this case?

That’s right. Let’s Encrypt is not allowed by industry rules to issue a certificate for this case.

You can use a self-signed certificate on your internal network and add an exception to trust it in each browser that you use to connect to this service. (Or you can use an internal CA, but that’s probably a lot more work for just one service.) If you don’t know how to make a self-signed certificate, https://zerossl.com/ has a tool available to do it in a web browser (alongside the tools for obtaining Let’s Encrypt certificates).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.