I’m new to Let’s Encrypt and I’m planning to switch over.
After I searched this forum and using Google I haven’t found an answer to my question.
I have an official domain “example.com” that is used for web, mail and other stuff.
Along this I use “corp.example.com” as my internal Windows Domain. This subdomain is not publicly available, since it only exists in my internal DNS servers.
Now, I’d like to create a Wildcard SAN certificate for:
As long as your DNS server is accessible from the outside world, yes: if you can answer the DNS challenge, there is no need for your http server to be accessible.
@tdelmas:
Is ist necessary to have a public adressible DNS zone for “corp.example.com” just to pass DNS challenge?
Or would it be sufficient to have a public DNS zone for “example.com” to validate both “corp.example.com” and “example.com” (including Wildcards)?
To validate corp.example.com or *.corp.example.com using DNS, you need to create a DNS record called _acme-challenge.corp.example.com. So it has to resolve, but it doesn't have to be the same internally and externally.
To further clarify, you don't need a separate corp.example.com zone to create a _acme-challenge.corp.example.com record. You effectively just create a _acme-challenge.corp record in the root example.com zone in addition to the base _acme-challenge records.
One more question:
Will the txt record for _acme-challenge… be the same for all domains in the same certificate?
(After reading through some client docs it seems the client implementation will only output one result for a txt record, even if I submit multiple domains for a SAN/UCC certificate)