{"id":1247,"date":"2018-02-24T17:52:42","date_gmt":"2018-02-24T16:52:42","guid":{"rendered":"https:\/\/bergs.biz\/blog\/?p=1247"},"modified":"2018-02-24T17:52:42","modified_gmt":"2018-02-24T16:52:42","slug":"get-certificates-for-internal-hosts-from-lets-encrypt","status":"publish","type":"post","link":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/","title":{"rendered":"Get certificates for &#8220;internal&#8221; hosts from Let&#8217;s Encrypt"},"content":{"rendered":"<p>I have a pretty large internal IT &#8220;landscape&#8221; in my house, and as an IT pro I want everything to be clean and &#8220;safe.&#8221; So even internally I&#8217;m using official SSL (or I should say &#8220;TLS&#8221;, as SSL 2.0 or 3.0 is deprecated since many years&#8230;) certificates for my router, WiFi access points, NAS devices, intranet server, etc., using host names in my own domain. I host this domain DNS-wise myself on a root server I rent from <a href=\"https:\/\/hetzner.de\/\" target=\"_blank\">Hetzner<\/a>.<\/p>\n<p>Before the StartSSL disaster I got my certs from them. Afterwards I switched to WOSign, but now that they had their scandal as well, what to do?!<\/p>\n<p>Well, Let&#8217;s Encrypt, a free public CA, is something I&#8217;m using anyway for my root server since they started operating. But to verify ownership of a domain name you had to run a web server on that respective host &#8212; something I can&#8217;t easily do for my internal hosts, as they have private IP addresses only, and their host names are not even publicly visible (they don&#8217;t have\u00a0 a public <code>A<\/code> record, only one visible in my internal LAN). Even for my router&#8217;s externally visible host name I can&#8217;t easily use an HTTP-based challenge, as for security reasons I don&#8217;t want to operate a web server there.<\/p>\n<p>By chance I came across the <code>dns<\/code> challenge that is now available in Let&#8217;s Encrypt&#8217;s <code>certbot<\/code>. This challenge works by deploying a <code>TXT<\/code> record that <code>certbot<\/code> requests to be under this domain name. Once you did this, you tell Let&#8217;s Encrypt to check, and if they find the <code>TXT<\/code> record this proves that you have authority over the domain.<\/p>\n<p>Using it is quite straight forward:<\/p>\n<pre># certbot certonly --manual -d hostname.internal.bergs.biz --preferred-challenges \"dns\"\r\n[...]\r\nPlease deploy a DNS TXT record under the name\r\n_acme-challenge.hostname.internal.bergs.biz with the following value:\r\n\r\nYrAE-fmu-Zjsdhsjhd328723hjdhjcjHJJHJhds\r\n\r\nOnce this is deployed,\r\n-------------------------------------------------------------------------------\r\nPress Enter to Continue<\/pre>\n<p>A few seconds later I had successfully received my certificate.<\/p>\n<p>So now I will write a script that will run periodically on my intranet server, and that will retrieve the then-current certificates for my internal hosts from my root server, and deploy them internally.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to get certificates for &#8220;internal&#8221; hosts from Let&#8217;s Encrypt<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,122,46],"tags":[269,270,36,92],"class_list":["post-1247","post","type-post","status-publish","format-standard","hentry","category-computers","category-english","category-security-computers","tag-certificates","tag-lets-encrypt","tag-ssl","tag-tls"],"_links":{"self":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/1247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/comments?post=1247"}],"version-history":[{"count":1,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/1247\/revisions"}],"predecessor-version":[{"id":1248,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/1247\/revisions\/1248"}],"wp:attachment":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/media?parent=1247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/categories?post=1247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/tags?post=1247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}