Wildcard cert with internal-only subdomain


#1

Hi there

I’m new to Let’s Encrypt and I’m planning to switch over.
After I searched this forum and using Google I haven’t found an answer to my question.

I have an official domain “example.com” that is used for web, mail and other stuff.
Along this I use “corp.example.com” as my internal Windows Domain. This subdomain is not publicly available, since it only exists in my internal DNS servers.

Now, I’d like to create a Wildcard SAN certificate for:

Can this be achieved using DNS challenge when my internal subdomain cannot be resolved?

Thanks for your help!


#2

As long as your DNS server is accessible from the outside world, yes: if you can answer the DNS challenge, there is no need for your http server to be accessible.


#3

Hi @arupper

that doesn’t work. If you create a certificate with *.example.com, then you can’t have corp.example.com in the same certificate.

So you need and can use only three names:

example.com
*.example.com
*.corp.example.com


#4

@JuergenAuer:
Thanks for clarification about corp.example.com!

@tdelmas:
Is ist necessary to have a public adressible DNS zone for “corp.example.com” just to pass DNS challenge?
Or would it be sufficient to have a public DNS zone for “example.com” to validate bothcorp.example.com” and “example.com” (including Wildcards)?


#5

To validate corp.example.com or *.corp.example.com using DNS, you need to create a DNS record called _acme-challenge.corp.example.com. So it has to resolve, but it doesn’t have to be the same internally and externally.


#6

To further clarify, you don’t need a separate corp.example.com zone to create a _acme-challenge.corp.example.com record. You effectively just create a _acme-challenge.corp record in the root example.com zone in addition to the base _acme-challenge records.


#7

Thank you all for clarification! This is very helpful!


#8

One more question:
Will the txt record for _acme-challenge… be the same for all domains in the same certificate?

(After reading through some client docs it seems the client implementation will only output one result for a txt record, even if I submit multiple domains for a SAN/UCC certificate)


#9

This doesn’t work. If you have one certificate with two names *.example.com example.com, you have to create two txt entries with the same name

_acme-challenge.example.com

and with two different values. Letsencrypt checks, if one of these txt entries has the correct value.


#10

No, it will be different for each domain.


#11

A post was split to a new topic: Wildcard-capable client recommendation for Windows


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.