Is it possible to generate a LetsEncrypt certificate for a private subdomain if the domain is public?

I have a server running on a private subdomain, server.internal.example.com

example.com is public but internal.example.com is not.

I've used CertBot to generate a certificate for *.example.com but if I try to expand this to include *.internal.example.com the DNS challenge fails because LetsEncrypt cannot reach this domain. I have tried running both:

sudo certbot certonly --manual --preferred-challenges=dns -d *.example.com -d *.internal.example.com
sudo certbot certonly --manual --preferred-challenges=dns -d *.example.com -d server.internal.example.com

but these both require me to make a DNS record change that LetsEncrypt cannot see. Is there any way around this?


What keeps you from simply creating the DNS records letsencrypt needs in your public DNS?

If it's to keep your internal network layout secret?
The fact that a TLS certificate for a specific hostname exists and has been created usually becomes public information anyway (see for example the search function on https://crt.sh/). If you don't want that: use an internal CA for internal TLS certificates (with everything that entails.) and thus avoid whole issue.

Since the existence of the certificate will more or less validate the existence of the hostname there is no immediate reason for not allowing a record for your internal hosts in your public DNS either (if only the necessary records for the duration of the certificate request/renewal)...

Unless your public DNS delegates your internal DNS zone internal.example.com to your internal IP-addresses there is no technical reason that would prevent you from simply creating a

_acme-challenge.server.internal.example.com. IN TXT 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc 

record (with the correct values) in your public DNS zone.


No, there is no way around this. You can't get Let's Encrypt certificates for domains Let's Encrypt can't see.

Consider creating your own CA for your internal certificates. It's pretty simple for an internal environment (check out easy-rsa for example).