0

I'm trying to provide secure services on my home intranet. Up to now I've used self-signed certificates with a made-up domain example.foo, with a subdomain for my separate systems (e.g. srv1.example.foo). These domains are defined on my local DNS server.

Now I've bought the domain example.com, but have no plans on providing any public services. I also have a VPS with static IPs to point example.com to.

I hope to create a wildcard letsencrypt certificate for *.example.com to use for my intranet systems. To separate local systems from anything public, I'd define a subdomain on my local DNS, which should not be resolved on public DNS servers (e.g. *.local.example.com). Thus have local intranet systems use names like srv1.local.example.com.

Is this setup feasible?

Can I create such a certificate on my VPS for *.example.com and secure intranet services with the generated certificate. Have my local DNS server resolve domains like srv1.local.example.com to private IPs and not expose any private IPs or domains to the public?

emma.makes
  • 3
  • 1

2 Answers2

2

You can't create wildcard certificate for *.example.com and use it for s1.sd.example.com. This is how the certificates work. If you want to create wildcard certificate for s1.sd.example.com it must be for *.sd.example.com

Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26
  • With letsencrypt and the aforementioned dns challenge, i should be able to create wildcard certificates for both `*.example.com` and `*.local.example.com`, right? With this I reveal that there are more hosts as subdomains of `local.example.com` (e.g. `srv1.local.example.com`, but all can get valid certificates. – emma.makes Mar 04 '23 at 12:34
  • @emma.makes, correct. FOr `h1.d1.example.com`, `h2.d1...` you should use `*.d1.example.com` – Romeo Ninov Mar 04 '23 at 14:16
1

Can I create such a certificate on my VPS for *.example.com and secure intranet services with the generated certificate.

Yes, but it's a strange way of doing it. It doesn't make automation easy.

I would run certbot (or whatever tool you use) on the actual system that needs the certificate, or some server inside your network where the system that needs it can grab it.

Use dns challenge authentication to validate control over the domain. This requires an external DNS provider that has API, e.g., Route53, Cloudflare, Azure, or a multitude of others.

You don't need any pbulic dns records except the txt records used for validating ownership.

vidarlo
  • 6,654
  • 2
  • 18
  • 31
  • Right, so I obviously need to put more research into how letsencrypt allows you to create certificates. Thank you for your response! I'm under the impression, that the best practice in this case would be to look into the DNS challenge authentication and issue the certificate from an internal server - correct? – emma.makes Mar 04 '23 at 09:48
  • I would argue so. Less exposure of secrets, less copying, easier to automate potentially. – vidarlo Mar 04 '23 at 09:49
  • 1
    The first **yes** (as OP ask the question) is wrong! You can't use wildcard on more than one level. – Romeo Ninov Mar 04 '23 at 10:56
  • 1
    @RomeoNinov Good catch, didn't notice the two levels. – vidarlo Mar 04 '23 at 10:57