The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,224 other subscribers

Some links on using and updating Let’s Encrypt certificates for internal servers

Posted by jpluimers on 2022/02/01

Sometimes it is easier to have current and public CA signed TLS certificates for internal servers than to setup and maintain an internal CA and register it on all affected browsers (including mobile phones).

One of my reasons to investigate this is that Chrome refuses to save credentials on servers that have no verifiable TLS certificate, see my post Some links on Chrome not prompting to save passwords (when Firefox and Safari do) about a week ago.

Below are some links for my link archive that hopefully will allow me to do this with Let’s Encrypt (msot via [Wayback/Archive] letsencrypt for internal servers – Google Search):

  • [Wayback/Archive] Using Let’s Encrypt with internal web servers (without DNS challenge) | Andy Gock


    • Use internet facing domain on an internal network, I normally use subdomains for this.
    • Domain must have a DNS A record pointing to a public facing web server so Let’s Encrypt can find it for the [Wayback/Archive] HTTP-01 challenge. This can be served as an empty site or just as a 404 response.
    • Remote VPS uses [Wayback/Archive] certbot to renew SSL certificates as normal.
    • Use a script like [Wayback/Archive] to copy the SSL certs from the remote machine to our local private machine. Run this as a cron job.
    • [Wayback/]
      # DOMAIN [EMAIL]
      # Copy Let's Encrypt SSL certs from a remote public facing web server to local filesystem
      # Look for changes, if any change, restarts the web service
      # Useful for using Let's Encrypt with local internal servers, with custom DNS.
      # Working "mail" command needed for email alerts
  • [Wayback/] Corollarium/localtls: DNS server for providing TLS to webservices on local addresses: insecure as everyone on the local LAN can download public and private keys
  • [Wayback/] Here’s another free CA as an alternative to Let’s Encrypt!
    one of them being to manage certificates for all of my internal devices. My certificate management is nothing fancy, I just have a few bash scripts running via cron that obtain new certificates and deploy them locally on the server or SCP them to where they need to be on my network devices like my UniFi Dream Machine Pro or my UniFi Protect NVR. I’ve now added a random selection for which CA will be used so from now on, Let’s Encrypt won’t be my exclusive CA!
    set -e
    SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom")
    /home/scott/ --issue --dns dns_cf -d --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}")
    If you’re using Certificate Authority Authorisation then don’t forget to set the value to let them issue certificates for your domain, but other than that, it’s easy!
  • [Wayback/Archive] Internal SSL Certs with Let’s Encrypt

    Here’s what you’ll need:
    1. 1.Register any DNS names that you’re generating certificates for and the entries need to point to public IP addresses that are accessible on TCP/443. However, the port only needs to be available while you’re requesting the certificate; it can be closed otherwise.
    2. 2.You’ll need a Linux system with nothing running on port 443 (or where you can temporarily stop the service using the port).
    3. 3.Finally, you’ll need the letsencrypt command; on Debian/Ubuntu it’s as simple as apt-get install letsencrypt.

    I’ll walk through the process using this site – – as an example.
    1. 1.Assuming letsencrypt is already installed, I’ll stop the webserver temporarily to request the cert: systemctl stop nginx
    2. 2.To renew all certificates located under /etc/letsencrypt/live you would use the flag renew. However, since I only want to renew a single certificate, I’ll be using the certonly flag (you would also use the certonly flag for a new certificate request). You’ll want to use the directory name under /etc/letsencrypt/live/ as the domain name to renew; e.g. mine is, although the certificate contains alternate names for,,, and The command to renew a single certificate is simply: letsencrypt certonly -d  You’ll be prompted to either start a temporary webserver or place files in webroot directory; I always choose the temporary webserver option because it’s the easiest. The output from the command will be similar to the following:

    It appreade later also as [Wayback/Archive] Internal SSL Certs with Let’s Encrypt – CodeProject.

Since I need this for ESXi:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: