{"id":1247,"date":"2018-02-24T17:52:42","date_gmt":"2018-02-24T16:52:42","guid":{"rendered":"https:\/\/bergs.biz\/blog\/?p=1247"},"modified":"2018-02-24T17:52:42","modified_gmt":"2018-02-24T16:52:42","slug":"get-certificates-for-internal-hosts-from-lets-encrypt","status":"publish","type":"post","link":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/","title":{"rendered":"Get certificates for “internal” hosts from Let’s Encrypt"},"content":{"rendered":"

I have a pretty large internal IT “landscape” in my house, and as an IT pro I want everything to be clean and “safe.” So even internally I’m using official SSL (or I should say “TLS”, as SSL 2.0 or 3.0 is deprecated since many years…) certificates for my router, WiFi access points, NAS devices, intranet server, etc., using host names in my own domain. I host this domain DNS-wise myself on a root server I rent from Hetzner<\/a>.<\/p>\n

Before the StartSSL disaster I got my certs from them. Afterwards I switched to WOSign, but now that they had their scandal as well, what to do?!<\/p>\n

Well, Let’s Encrypt, a free public CA, is something I’m using anyway for my root server since they started operating. But to verify ownership of a domain name you had to run a web server on that respective host — something I can’t easily do for my internal hosts, as they have private IP addresses only, and their host names are not even publicly visible (they don’t have\u00a0 a public A<\/code> record, only one visible in my internal LAN). Even for my router’s externally visible host name I can’t easily use an HTTP-based challenge, as for security reasons I don’t want to operate a web server there.<\/p>\n

By chance I came across the dns<\/code> challenge that is now available in Let’s Encrypt’s certbot<\/code>. This challenge works by deploying a TXT<\/code> record that certbot<\/code> requests to be under this domain name. Once you did this, you tell Let’s Encrypt to check, and if they find the TXT<\/code> record this proves that you have authority over the domain.<\/p>\n

Using it is quite straight forward:<\/p>\n

# certbot certonly --manual -d hostname.internal.bergs.biz --preferred-challenges \"dns\"\r\n[...]\r\nPlease deploy a DNS TXT record under the name\r\n_acme-challenge.hostname.internal.bergs.biz with the following value:\r\n\r\nYrAE-fmu-Zjsdhsjhd328723hjdhjcjHJJHJhds\r\n\r\nOnce this is deployed,\r\n-------------------------------------------------------------------------------\r\nPress Enter to Continue<\/pre>\n
A few seconds later I had successfully received my certificate.<\/p>\n
So now I will write a script that will run periodically on my intranet server, and that will retrieve the then-current certificates for my internal hosts from my root server, and deploy them internally.<\/p>\n","protected":false},"excerpt":{"rendered":"
How to get certificates for “internal” hosts from Let’s Encrypt<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,122,46],"tags":[269,270,36,92],"class_list":["post-1247","post","type-post","status-publish","format-standard","hentry","category-computers","category-english","category-security-computers","tag-certificates","tag-lets-encrypt","tag-ssl","tag-tls"],"yoast_head":"\nGet certificates for "internal" hosts from Let's Encrypt - Ralf's Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Get certificates for "internal" hosts from Let's Encrypt - Ralf's Blog\" \/>\n<meta property=\"og:description\" content=\"How to get certificates for "internal" hosts from Let's Encrypt\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/\" \/>\n<meta property=\"og:site_name\" content=\"Ralf's Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-02-24T16:52:42+00:00\" \/>\n<meta name=\"author\" content=\"Ralf Bergs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ralfbergs\" \/>\n<meta name=\"twitter:site\" content=\"@ralfbergs\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ralf Bergs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/\"},\"author\":{\"name\":\"Ralf Bergs\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\"},\"headline\":\"Get certificates for “internal” hosts from Let’s Encrypt\",\"datePublished\":\"2018-02-24T16:52:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/\"},\"wordCount\":334,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\"},\"keywords\":[\"certificates\",\"Let's Encrypt\",\"ssl\",\"TLS\"],\"articleSection\":[\"Computers\",\"English\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/\",\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/\",\"name\":\"Get certificates for \\\"internal\\\" hosts from Let's Encrypt - Ralf's Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#website\"},\"datePublished\":\"2018-02-24T16:52:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2018\\\/02\\\/24\\\/get-certificates-for-internal-hosts-from-lets-encrypt\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Get certificates for “internal” hosts from Let’s Encrypt\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/\",\"name\":\"Ralf's Blog\",\"description\":\"Just another WordPress weblog\",\"publisher\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\",\"name\":\"Ralf Bergs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\",\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\",\"contentUrl\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\",\"width\":1024,\"height\":1024,\"caption\":\"Ralf Bergs\"},\"logo\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\"},\"description\":\"Geek, computer guy, licensed and certified electrical and computer engineer, husband, best daddy.\",\"sameAs\":[\"https:\\\/\\\/bergs.biz\\\/\",\"https:\\\/\\\/linkedin.com\\\/in\\\/ralfbergs\\\/\",\"https:\\\/\\\/x.com\\\/ralfbergs\"],\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/author\\\/rabe\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Get certificates for \"internal\" hosts from Let's Encrypt - Ralf's Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/","og_locale":"en_US","og_type":"article","og_title":"Get certificates for \"internal\" hosts from Let's Encrypt - Ralf's Blog","og_description":"How to get certificates for \"internal\" hosts from Let's Encrypt","og_url":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/","og_site_name":"Ralf's Blog","article_published_time":"2018-02-24T16:52:42+00:00","author":"Ralf Bergs","twitter_card":"summary_large_image","twitter_creator":"@ralfbergs","twitter_site":"@ralfbergs","twitter_misc":{"Written by":"Ralf Bergs","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/#article","isPartOf":{"@id":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/"},"author":{"name":"Ralf Bergs","@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201"},"headline":"Get certificates for “internal” hosts from Let’s Encrypt","datePublished":"2018-02-24T16:52:42+00:00","mainEntityOfPage":{"@id":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/"},"wordCount":334,"commentCount":0,"publisher":{"@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201"},"keywords":["certificates","Let's Encrypt","ssl","TLS"],"articleSection":["Computers","English","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/","url":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/","name":"Get certificates for \"internal\" hosts from Let's Encrypt - Ralf's Blog","isPartOf":{"@id":"https:\/\/bergs.biz\/blog\/#website"},"datePublished":"2018-02-24T16:52:42+00:00","breadcrumb":{"@id":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/bergs.biz\/blog\/2018\/02\/24\/get-certificates-for-internal-hosts-from-lets-encrypt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergs.biz\/blog\/"},{"@type":"ListItem","position":2,"name":"Get certificates for “internal” hosts from Let’s Encrypt"}]},{"@type":"WebSite","@id":"https:\/\/bergs.biz\/blog\/#website","url":"https:\/\/bergs.biz\/blog\/","name":"Ralf's Blog","description":"Just another WordPress weblog","publisher":{"@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergs.biz\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201","name":"Ralf Bergs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg","url":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg","contentUrl":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg","width":1024,"height":1024,"caption":"Ralf Bergs"},"logo":{"@id":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg"},"description":"Geek, computer guy, licensed and certified electrical and computer engineer, husband, best daddy.","sameAs":["https:\/\/bergs.biz\/","https:\/\/linkedin.com\/in\/ralfbergs\/","https:\/\/x.com\/ralfbergs"],"url":"https:\/\/bergs.biz\/blog\/author\/rabe\/"}]}},"_links":{"self":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/1247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/comments?post=1247"}],"version-history":[{"count":1,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/1247\/revisions"}],"predecessor-version":[{"id":1248,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/1247\/revisions\/1248"}],"wp:attachment":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/media?parent=1247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/categories?post=1247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/tags?post=1247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}