• 15
name Punditsdkoslkdosdkoskdo

Using Let's Encrypt certs on LAN with DNS redirection?

I'm trying to use existing LE certs with a server on my LAN. I exposed port 443 to get the certs for mine.example.com and https access works fine from the WAN.

However, I assumed (perhaps foolishly) that I might be able to use the same certs internally by setting up DNS redirection (using dnsmasq on a separate box) on my LAN to point mine.example.com to the local IP.

Redirection works fine and points local machines to the internal IP when I go to mine.example.com but the certs now show 'Certificate Authority Invalid' errors.

Perhaps I misunderstand how the CA process works but I assumed that, since LE certs are DNS based, they should still work with local DNS redirection.

Does anyone know how to make this work?

Or can anyone explain why it doesn't work?

I know I can get different certs for local machines from LE but that would mean trying to configure the server to use different certs for internal and external access. Assuming I need to do this, is there an easy way to use different certs depending on source traffic?

I'll be serving web content through nginx and also a Webmin admin panel so it may be relatively easy to do for nginx given the flexibility in the configs (although google hasn't been too helpful here either) but not sure about other web services running on the machine?

P.S. sorry if this turns out to be a duplicate but couldn't find anything with a lot of searching here (or on the Googles).

      • 1
    • The certs do not "show" Certificate Authority Invalid, that is not in them. This comes from the software you are using, and you will need to give more details on what software you are using to connect to what server and the specific error. Maybe your second software does not have the same list of CAs and do not recognize LE CA. In short, yes you can use the same certificate internally, a certificate "certify" a name, not an IP, so this is orthogonal from what happens in the DNS (except if you are starting to use things like DANE and so)
      • 2
    • Thanks Patrick, I'm using Chrome in Windows 10 which shows a 'Certificate Authority Invalid' error. And on a Ubuntu 16.04 machine on the LAN when I curl mine.example.com I get a 'server certificate verification failed' error, even after running 'update-ca-certificate' to make sure the CA bundle is up to date. What you said in your reply was how I thought things worked but somehow the LE CA doesn't seem to be recognised in either system. Any advice/thoughts?
      • 1
    • The LE root certificate may not be included by your distribution for whatever reasons, and hence update-ca-certificate does not help you. You should investigate your errors to make 100% sure it is related to the CA (the error message is not detailed enough), and then install the missing root certificates (this will depend on what distribution you are using, have a look at /etc/ssl for example.

You will need to check the certificates in each system's trusted root store to see if the relevant root CAs are installed.

Let's Encrypt has documentation on their certificates: https://letsencrypt.org/certificates/ Note that they were cross signed by IdenTrust, in addition to the chain signed by their own root, ISRG.

On Windows, opening a certificate and looking at the Certification Path tab shows the chain. Untrusted certificates have an error badge icon and show a status text different from OK. Check which root you are using and if it is in your trusted store. On Chrome, the cert can be found on F12 devtools, security tab.

Also consider using a TLS tester against it, such as testssl.sh. The certificate store will be different, but it can show a number of problems.

  • 0
Reply Report
    • Thanks John. I had done some digging around this and have been trying to add the certs to the trusted root store. However I'm still not clear on why the certs would appear to be trusted when accessing the server externally, but not trusted internally. When I remove the LAN DNS resolution the same Windows and Ubuntu machines do trust the cert but when I enable local DNS resolution the trust stops. I would have thought it should still trust it since the cert is still valid for the domain name. Is there some extra on-the-fly validation which takes place when connecting externally?
    • The browser does not distinguish LAN from WAN. I don't know what else to tell you. Examine all certs in both the working and not working certificate chains. There will be a difference. Then find that difference in the certificate configuration on your (web?) server.
      • 1
    • I just tried running an nginx reverse proxy in front of the web services. It all works fine now. The proxy terminates the SSL connection itself so not reliant on the web service handling the certs correctly. Clearly there was something happening in the way the webservice was handling the certificates that stopped it working internally. Thanks for all the help.

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags