Categories
Computers English Security

Get certificates for “internal” hosts from Let’s Encrypt

I have a pretty large internal IT “landscape” in my house, and as an IT pro I want everything to be clean and “safe.” So even internally I’m using official SSL (or I should say “TLS”, as SSL 2.0 or 3.0 is deprecated since many years…) certificates for my router, WiFi access points, NAS devices, intranet server, etc., using host names in my own domain. I host this domain DNS-wise myself on a root server I rent from Hetzner.

Before the StartSSL disaster I got my certs from them. Afterwards I switched to WOSign, but now that they had their scandal as well, what to do?!

Well, Let’s Encrypt, a free public CA, is something I’m using anyway for my root server since they started operating. But to verify ownership of a domain name you had to run a web server on that respective host — something I can’t easily do for my internal hosts, as they have private IP addresses only, and their host names are not even publicly visible (they don’t have  a public A record, only one visible in my internal LAN). Even for my router’s externally visible host name I can’t easily use an HTTP-based challenge, as for security reasons I don’t want to operate a web server there.

By chance I came across the dns challenge that is now available in Let’s Encrypt’s certbot. This challenge works by deploying a TXT record that certbot requests to be under this domain name. Once you did this, you tell Let’s Encrypt to check, and if they find the TXT record this proves that you have authority over the domain.

Using it is quite straight forward:

# certbot certonly --manual -d hostname.internal.bergs.biz --preferred-challenges "dns"
[...]
Please deploy a DNS TXT record under the name
_acme-challenge.hostname.internal.bergs.biz with the following value:

YrAE-fmu-Zjsdhsjhd328723hjdhjcjHJJHJhds

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue

A few seconds later I had successfully received my certificate.

So now I will write a script that will run periodically on my intranet server, and that will retrieve the then-current certificates for my internal hosts from my root server, and deploy them internally.