Reputation: 1528
Using letsencrypt to sign SSL certificates for local servers
Can I use a certificate from letsencrypt to sign local certificates?
I'm annoyed when accessing routers and APs at 192.168.x.x to get security warnings.
I could create my own root cert, and import it into all my browsers etc, and create certs for all the local servers.
But I'd rather have the chain device -> www.example.com -> letsencrypt -> root
Then also guests could use my local servers/services without this security error.
Upvotes: 1
Views: 3904
Answers (2)
Reputation: 77084
Yes, you can... but not like that
Yes, you can get certificates for servers on a private network. The domain must be a real domain with public txt records, but the A, AAAA, and CNAME records can be private/non-routable (or in a private zone).
No, the way to do that isn't by using Let's Encrypt certificates to sign local certificates.
You can accomplish exactly what you want to accomplish using the DNS-01 challenge (setting txt records for your domain).
Who is your domain / dns provider?
Immediate, but Temporary Solution
If you want to test it out real quick, try https://greenlock.domains and choose DNS instead of HTTP for the "how do you want to do this" step.
Automatable Integration
If you want a configurable, automatable, deployable solution try greenlock.js (there are node plugins for Cloudflare, Route 53, Digital Ocean, and a few other DNS providers).
Both use Let's Encrypt under the hood. Certbot can also be used for either case and can use python plugins.
Possibly related...
P.S. You might also be interested in a service like Telebit, localtunnel, or ngrok.
Upvotes: 0
Reputation: 39271
No, you can not because the certificate issued to you by letsencrypt will not have the keyusage certificate signing enabled. Without this attribute in the issuer, any browser or SSL client musth reject the certificate.
If this were possible, anyone could issue valid certificates for any server simply by having a valid certificate from a trusted CA
If you want to issue certificates for your local servers you will need to create your own CA and include the root certificate in the truststore of each client
Upvotes: 1
Related Questions
- LetsEncrypt SSL on IP Address
- How do we use letsencrypt SSL certificates in an IoT architecture
- Can I get Letsencrypt certificate for local development
- Let's Encrypt SSL certs for same domain, multiple instances
- Let's encrypt certificate with NO SNI
- How can I get Letsencrypt certificates before adding the server to production
- Generate a certificate with letsencrypt locally
- Lets Encrypt does not sign my domains
- Letsencrypt SSL certificate error
- Automating letsencrypt with a standard apache2 setup for new certificates