|
|
|
|
|
|
by ninkendo
632 days ago
|
|
|
LE can use DNS itself as the challenge. It works something like: - You manage the mmd45.me domain (through a dns provider, say dnsimple) - You ask LE for a cert for imap.lan.mmd45.me (an address that doesn’t exist, but you use in /etc/hosts or something internally. Or maybe an internal dns server like a pihole or something. The rest of the internet doesn’t see this address) - LE says “prove you own lan.mmd45.me by creating a TXT record containing <random-nonce> inside _acme-challenge.lan.mmd45.me” - Certbot integrates with your DNS provider to create said TXT record - LE sees the TXT record and determines you are the owner, and signs your cert. At this point certbot can just delete _acme-challenge.lan.mmd45.me because it did its job. At no point does mail.lan.mmd45.me need to be externally resolvable to any address for this to work. |
|
|