Let's Encrypt Certificate for Internal Site

Solution 1:

  1. Let's Encrypt requires Internet connectivity, but that is needed by the EFF ISRG who run it. Certbot (which runs on your computer) communicates with Let's Encrypt to issue and renew certs and does require connectivity from your computer.

  2. A valid domain name (in the case of Let's Encrypt) is a domain you set up which can be resolved by the global DNS infrastructure - in practice this means using a bought domain name, or a subdomain related to a bought domain name (although it is possible to get free domains from some obscure registries like www.tk)

  3. Applications need to be configured to use the Let's Encrypt keys. All that Certbot does is (a) have a set of keys which almost all browsers accept and (b) signs keys to after checking that the owner of the key is also in control of the DNS for the key that signed. While Certbot can be used with Apache/NGINX, and doing so is easy it does not require either software to run. Similarly the output of Certbot (in addition to optional configuration files if desired, but is in no way mandatory), is a signed public key. This private key, along with the private key (and any intermediate keys) Let's Encrypt typically generates for you can be used by any software you use that can use SSL, recognises Let's Encrypt as a CA and recognises the file format. This needs to be configured in the software.

  4. What you are asking is non-sensical - if you have a root certificate you don't use Certbot. You can create your own CA infrastructure using the OpenSSL library, and if you want to make this easier there are pki tools like easy-rsa. Certbot is not a registry, its not an SSL library, it is a script to verify ownership of a domain name in a standard compliant way, and managing the certs provided by Let's Encrypt. Its not useful if you are setting up your own CA (Certificate Authority - which is what a Root Certificate is all about).

Solution 2:

  1. Yes, to perform any of the challenges involved in creating new certificates, and that's it.
  2. A 'valid domain' is just means 'not an IP address'. Let's Encrypt, like most issuers, will not use IP addresses as the subject of the certificate; it must be a domain.
  3. All Certbot does is create certificates for whatever domain names it sees in your apache / nginx config. You can use the apache / nginx config to enable SSL or not, or point to any other certificate. Certbot will not force your server to have SSL enabled or force it to use its own certificates. Though it can (optionally) write the config for you during the installer.
  4. You can make any certificate act as an intermediate if you have the private key and the optional passphrase.

Tags:

Ssl

Https

Ssl Certificate

Lets Encrypt

Related

Why an iptables NAT does not happen in the network namespace separated transparent proxy setup? How can I monitor CPU usage and processes on Windows Server 2012 as a service over a 24 hour period? Google Cloud External IP Charges for Free Tier IPv4 To IPv6 Migration Advice NodeJS React Systemd Service not working Windows FTP over SSH Samba4 issues with Time Machine: cannot create new backup on Samba share nginx. How to log ssl errors without blowing up the server logs How to responsibly discontinue receiving email at an old Internet domain? How to create DNS entries on Windows Server, such that a single word (without a TLD) can be used to resolve an ip? What is the difference between AWS site-to-site VPN and AWS client VPN? Why does the command 'apt install php' try to install Apache?

Recent Posts