I'm trying to use existing LE certs with a server on my LAN. I exposed port 443 to get the certs for mine.example.com and https access works fine from the WAN.
However, I assumed (perhaps foolishly) that I might be able to use the same certs internally by setting up DNS redirection (using dnsmasq on a separate box) on my LAN to point mine.example.com to the local IP.
Redirection works fine and points local machines to the internal IP when I go to mine.example.com but the certs now show 'Certificate Authority Invalid' errors.
Perhaps I misunderstand how the CA process works but I assumed that, since LE certs are DNS based, they should still work with local DNS redirection.
Does anyone know how to make this work?
Or can anyone explain why it doesn't work?
I know I can get different certs for local machines from LE but that would mean trying to configure the server to use different certs for internal and external access. Assuming I need to do this, is there an easy way to use different certs depending on source traffic?
I'll be serving web content through nginx and also a Webmin admin panel so it may be relatively easy to do for nginx given the flexibility in the configs (although google hasn't been too helpful here either) but not sure about other web services running on the machine?
P.S. sorry if this turns out to be a duplicate but couldn't find anything with a lot of searching here (or on the Googles).
Best Answer
You will need to check the certificates in each system's trusted root store to see if the relevant root CAs are installed.
Let's Encrypt has documentation on their certificates: https://letsencrypt.org/certificates/ Note that they were cross signed by IdenTrust, in addition to the chain signed by their own root, ISRG.
On Windows, opening a certificate and looking at the Certification Path tab shows the chain. Untrusted certificates have an error badge icon and show a status text different from OK. Check which root you are using and if it is in your trusted store. On Chrome, the cert can be found on F12 devtools, security tab.
Also consider using a TLS tester against it, such as testssl.sh. The certificate store will be different, but it can show a number of problems.