Why SSL is Important and How to Set Up SSL Using Let’s Encrypt with DNS-01 Challenge for Intranet
Introduction: Why SSL is So Important
In today’s digital landscape, SSL (Secure Sockets Layer) is a critical component for securing data across the web. It ensures that information transmitted between the web server and the user’s browser remains encrypted, private, and protected from third-party interception. Whether you’re working on an external website or an internal intranet, SSL plays an essential role in safeguarding sensitive data.
Here’s why SSL is crucial:
- Data Encryption: SSL encrypts communication, preventing malicious actors from accessing sensitive data, such as login credentials, financial information, and personal data.
- Data Integrity: SSL ensures that the data transferred between server and browser isn’t modified or corrupted during transmission.
- Authentication: SSL certificates verify the authenticity of a website, preventing impersonation and ensuring users are connecting to the legitimate server.
SSL is critical even for internal intranet sites that are often overlooked when it comes to security. Whether it’s for protecting internal communications, databases, or local applications, securing your intranet with SSL ensures confidentiality and trust within your network.
In this article, we’ll focus on how to use Let’s Encrypt to secure your intranet with SSL by using the DNS-01 challenge, a method that is ideal for internal, non-public domains that can’t be directly verified via HTTP requests (as in the standard HTTP-01 challenge).
Why the DNS-01 Challenge is Better for Intranets
Let’s Encrypt provides free SSL certificates that can be automated for renewals, but they typically use the HTTP-01 challenge for public websites. However, intranet sites often don’t have publicly accessible endpoints for Let’s Encrypt to verify ownership via HTTP. This is where the DNS-01 challenge comes into play.
The DNS-01 challenge works by proving domain ownership through DNS records. Instead of making your site publicly accessible for validation, you add a special DNS record (TXT record) that Let’s Encrypt can check.
Here’s why DNS-01 is better for securing intranet sites:
- No Public Access Required: Since intranet sites often exist behind firewalls or within local networks, DNS-01 allows you to verify domain ownership without exposing the site to the public internet.
- Wildcard Certificates: DNS-01 allows for issuing wildcard certificates (e.g.,
*.intranet.domain.com), which is useful when you want to secure multiple subdomains or internal services within your intranet. - Greater Flexibility: DNS-01 works with internal or external DNS servers, providing flexibility for private networks or hybrid environments where HTTP-01 may not be possible.
Setting Up SSL for Intranet with Let’s Encrypt DNS-01 Challenge
Prerequisites:
- An internal or external DNS service where you can add TXT records.
- Let’s Encrypt’s Certbot tool installed on your server.
- Administrative access to your DNS provider or local DNS server.
- Apache or Nginx (or any web server) running on your intranet site.
Step-by-Step: Using Let’s Encrypt with DNS-01 Challenge
Step 1: Install Certbot
To begin, you need to install Certbot, the client that will handle SSL certificate requests from Let’s Encrypt.
For Debian/Ubuntu systems, you can install Certbot with the following:
sudo apt update
sudo apt install certbot
For Apache integration:
sudo apt install python3-certbot-apache
For Nginx integration:
sudo apt install python3-certbot-nginx
Step 2: Requesting the Certificate Using DNS-01 Challenge
Now that Certbot is installed, you can use it to issue a certificate via the DNS-01 challenge. This requires manual intervention to add the TXT record to your DNS.
Run the following command to initiate the DNS-01 challenge:
sudo certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com
Replace example.com with your actual intranet domain. If you need a wildcard certificate for multiple subdomains, include the -d *.example.com option.
Step 3: Add TXT Record to DNS
Certbot will provide a special TXT record that you need to add to your DNS provider’s control panel or your local DNS server.
Here’s an example output from Certbot:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
xYzAbCdEf1234567890
Before continuing, verify the record is deployed.
You’ll need to log in to your DNS provider or internal DNS management tool and add the _acme-challenge record with the value provided by Certbot.
Once the record is created, wait for DNS propagation (this can take a few minutes). After that, you can continue the process in Certbot.
Step 4: Verify and Complete the Process
Once the DNS TXT record is propagated, return to your terminal and press Enter to continue the process. Certbot will verify the DNS record and issue the certificate.
You should see a success message similar to this:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Step 5: Configure Apache or Nginx for SSL
Now that you have the certificate, the next step is configuring your web server to use it.
For Apache:
- Open your site’s Apache configuration file:
sudo nano /etc/apache2/sites-available/intranet-ssl.conf
- Add or update the following lines to configure SSL:
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
- Enable the SSL module and site:
sudo a2enmod ssl
sudo a2ensite intranet-ssl.conf
sudo systemctl reload apache2
For Nginx:
- Open your site’s configuration file:
sudo nano /etc/nginx/sites-available/intranet-ssl.conf
- Add the following lines to enable SSL:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
- Enable the configuration and reload Nginx:
sudo ln -s /etc/nginx/sites-available/intranet-ssl.conf /etc/nginx/sites-enabled/
sudo systemctl reload nginx
Step 6: Automate Renewal
By default, Let’s Encrypt certificates expire after 90 days, but you can set up automatic renewal. For the DNS-01 challenge, you may need to handle the renewal manually, unless you have an API with your DNS provider that Certbot can use.
To renew manually, you can rerun the DNS-01 challenge before the certificate expires:
sudo certbot renew --manual
Alternatively, automate the renewal if you can programmatically manage DNS records.
Conclusion
Securing your intranet with SSL is crucial for protecting internal data and ensuring a safe communication environment, even within your local network. By using Let’s Encrypt’s DNS-01 challenge, you can obtain certificates for internal sites without requiring public exposure, making it an ideal choice for intranet sites.
Compared to other methods like self-signed certificates or mkcert, using Let’s Encrypt provides:
- A Trusted SSL Certificate: No browser warnings or manual acceptance of certificates.
- Support for Wildcard Certificates: Secure multiple subdomains within your intranet.
- Publicly Trusted Authority: Certbot with DNS-01 is a widely trusted solution, recognized by major browsers and platforms.
This method provides the best combination of security, automation, and flexibility for your internal network.
edvaldo b. guimarães filho 
Leave a comment