Let's Encrypt Certificate for Internal Site

I am hoping to clear up some confusion I have regarding the use of Let's Encrypt for an internal site/application. I have not been able to find this information elsewhere.

I want to use Let's Encrypt paired with Certbot to allow the use of SSL on an application.

Questions:

  1. Does Let's Encrypt or Certbot require internet access to perform any part of their job? The application will need to be able to run normally even if internet access is down. From what I can gather the only part that requires internet connectivity is for generating new certs when the 90 day period is drawing to an end.
  2. Let's Encrypt requires a valid domain. Per their website "for any server that uses a domain name, like web servers, mail servers,...". I'm rather ignorant to what it means to have a valid domain. If I have Apache on my server that already hosts other web applications does any domain name I set up with Apache count or do I need to purchase a domain name?
  3. In the previous question I mentioned other applications are going to be on this server. These do not require SSL. If I set up Let's Encrypt and Certbot on my server does that mean that these applications have SSL available or is it specific to the domain(site) name used to set it up? Will any of these other applications need modification if a separate application is using SSL?
  4. Hypothetically lets say I want to get a root certificate but instead of using this with Certbot I want to create and use a set of intermediate keys. Is this possible? Would these intermediate keys need to by altered each time we create a new root key?

I apologize if any of my questions are ignorant, my knowledge of this kind of stuff is very limited. That said, there may even be better options to accomplish what I need so I am open to suggestions. I opted for Let's Encrypt over a self signed cert because with this solution I would not need to add a CA to each client machine that needs access.


  1. Let's Encrypt requires Internet connectivity, but that is needed by the EFF ISRG who run it. Certbot (which runs on your computer) communicates with Let's Encrypt to issue and renew certs and does require connectivity from your computer.

  2. A valid domain name (in the case of Let's Encrypt) is a domain you set up which can be resolved by the global DNS infrastructure - in practice this means using a bought domain name, or a subdomain related to a bought domain name (although it is possible to get free domains from some obscure registries like www.tk)

  3. Applications need to be configured to use the Let's Encrypt keys. All that Certbot does is (a) have a set of keys which almost all browsers accept and (b) signs keys to after checking that the owner of the key is also in control of the DNS for the key that signed. While Certbot can be used with Apache/NGINX, and doing so is easy it does not require either software to run. Similarly the output of Certbot (in addition to optional configuration files if desired, but is in no way mandatory), is a signed public key. This private key, along with the private key (and any intermediate keys) Let's Encrypt typically generates for you can be used by any software you use that can use SSL, recognises Let's Encrypt as a CA and recognises the file format. This needs to be configured in the software.

  4. What you are asking is non-sensical - if you have a root certificate you don't use Certbot. You can create your own CA infrastructure using the OpenSSL library, and if you want to make this easier there are pki tools like easy-rsa. Certbot is not a registry, its not an SSL library, it is a script to verify ownership of a domain name in a standard compliant way, and managing the certs provided by Let's Encrypt. Its not useful if you are setting up your own CA (Certificate Authority - which is what a Root Certificate is all about).


  1. Yes, to perform any of the challenges involved in creating new certificates, and that's it.
  2. A 'valid domain' is just means 'not an IP address'. Let's Encrypt, like most issuers, will not use IP addresses as the subject of the certificate; it must be a domain.
  3. All Certbot does is create certificates for whatever domain names it sees in your apache / nginx config. You can use the apache / nginx config to enable SSL or not, or point to any other certificate. Certbot will not force your server to have SSL enabled or force it to use its own certificates. Though it can (optionally) write the config for you during the installer.
  4. You can make any certificate act as an intermediate if you have the private key and the optional passphrase.