Is it possible to generate a LetsEncrypt certificate for a private subdomain if the domain is public?

ssl-certificate lets-encrypt

I have a server running on a private subdomain, server.internal.example.com

example.com is public but internal.example.com is not.

I've used CertBot to generate a certificate for *.example.com but if I try to expand this to include *.internal.example.com the DNS challenge fails because LetsEncrypt cannot reach this domain. I have tried running both:

sudo certbot certonly --manual --preferred-challenges=dns -d *.example.com -d *.internal.example.com
sudo certbot certonly --manual --preferred-challenges=dns -d *.example.com -d server.internal.example.com

but these both require me to make a DNS record change that LetsEncrypt cannot see. Is there any way around this?


What keeps you from simply creating the DNS records letsencrypt needs in your public DNS?

If it's to keep your internal network layout secret?
The fact that a TLS certificate for a specific hostname exists and has been created usually becomes public information anyway (see for example the search function on https://crt.sh/). If you don't want that: use an internal CA for internal TLS certificates (with everything that entails.) and thus avoid whole issue.

Since the existence of the certificate will more or less validate the existence of the hostname there is no immediate reason for not allowing a record for your internal hosts in your public DNS either (if only the necessary records for the duration of the certificate request/renewal)...

Unless your public DNS delegates your internal DNS zone internal.example.com to your internal IP-addresses there is no technical reason that would prevent you from simply creating a

_acme-challenge.server.internal.example.com. IN TXT 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

record (with the correct values) in your public DNS zone.


No, there is no way around this. You can't get Let's Encrypt certificates for domains Let's Encrypt can't see.

Consider creating your own CA for your internal certificates. It's pretty simple for an internal environment (check out easy-rsa for example).

Related

Getting error “libosinfo: Unexpected file type (0)” when trying to create or open VM in virt-manager
Apache's mod_rewrite and PHP's REQUEST_URI variable
AWS access as company owner
Is it possible to run gitlab as https/ssh through OS-Login IAP tunnels?
SMTP banner mismatch with multiple MX records
How to modify a VM instance setting to boot from BIOS to UEFI?
While a process is running manually, it stops after a while in the cron job [duplicate]
what to do in case of command substitution on a linux server? [duplicate]
Cannot send emails from tomcat application
Ansible "missing sudo password" even with passwordless sudo enabled
What happens when legacy browser or OS attempts to acces https site with SHA-2 certificate
Windows 10 remote tools not working, mmc, psexec etc