Join Log in
Score:0
emma.makes avatar Server

Issue valid HTTPS certificates for intranet subdomains with letsencrypt

co flag
emma.makes

I'm trying to provide secure services on my home intranet. Up to now I've used self-signed certificates with a made-up domain example.foo, with a subdomain for my separate systems (e.g. srv1.example.foo). These domains are defined on my local DNS server.

Now I've bought the domain example.com, but have no plans on providing any public services. I also have a VPS with static IPs to point example.com to.

I hope to create a wildcard letsencrypt certificate for *.example.com to use for my intranet systems. To separate local systems from anything public, I'd define a subdomain on my local DNS, which should not be resolved on public DNS servers (e.g. *.local.example.com). Thus have local intranet systems use names like srv1.local.example.com.

Is this setup feasible?

Can I create such a certificate on my VPS for *.example.com and secure intranet services with the generated certificate. Have my local DNS server resolve domains like srv1.local.example.com to private IPs and not expose any private IPs or domains to the public?

387
2 + 0
Score:2
Romeo Ninov avatar Server
in flag
Romeo Ninov

You can't create wildcard certificate for *.example.com and use it for s1.sd.example.com. This is how the certificates work. If you want to create wildcard certificate for s1.sd.example.com it must be for *.sd.example.com

+ 2
emma.makes avatar
co flag
emma.makes
With letsencrypt and the aforementioned dns challenge, i should be able to create wildcard certificates for both `*.example.com` and `*.local.example.com`, right? With this I reveal that there are more hosts as subdomains of `local.example.com` (e.g. `srv1.local.example.com`, but all can get valid certificates.
0
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
@emma.makes, correct. FOr `h1.d1.example.com`, `h2.d1...` you should use `*.d1.example.com`
0
Reply
Score:1
vidarlo avatar Server
ar flag
vidarlo

Can I create such a certificate on my VPS for *.example.com and secure intranet services with the generated certificate.

Yes, but it's a strange way of doing it. It doesn't make automation easy.

I would run certbot (or whatever tool you use) on the actual system that needs the certificate, or some server inside your network where the system that needs it can grab it.

Use dns challenge authentication to validate control over the domain. This requires an external DNS provider that has API, e.g., Route53, Cloudflare, Azure, or a multitude of others.

You don't need any pbulic dns records except the txt records used for validating ownership.

+ 4
emma.makes avatar
co flag
emma.makes
Right, so I obviously need to put more research into how letsencrypt allows you to create certificates. Thank you for your response! I'm under the impression, that the best practice in this case would be to look into the DNS challenge authentication and issue the certificate from an internal server - correct?
0
Reply
vidarlo avatar
ar flag
vidarlo
I would argue so. Less exposure of secrets, less copying, easier to automate potentially.
0
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
The first **yes** (as OP ask the question) is wrong! You can't use wildcard on more than one level.
1
Reply
vidarlo avatar
ar flag
vidarlo
@RomeoNinov Good catch, didn't notice the two levels.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.