let's encrypt certificates for private network addresses (ex:

August 20, 2019

Problem Description

You have a host name that only exists on a private network. For example, “” resolves to an address like 192.168.x.y, 172.16-31.b.c, or 10.a.b.c. You’d like a free, signed, valid SSL certificate for this host, but you don’t plan on putting this host on the internet. How do you get a let’s encrypt certificate for it?


It’s possible using DNS challenges. I found instructions for making let’s encrypt certificates for private domains. Since this is posted in a forum thread, I’m reposting the information just in case something happens to it. All credit goes to Bryan Larsen on the Let’s Encrypt Forums.


  • a domain name (
  • access to the DNS server for
  • root access on a publicly accessible server (

And let’s assume you want to create a certificate for named

  • install certsling on the server.
  • Add an A record to point foo( to
  • Add an NS record to point to
  • sudo socat -T15 udp4-recvfrom:53,reuseaddr,fork tcp:localhost:8053 on your server
  • open port 53 on your server firewall
  • mkdir [email protected]
  • cd [email protected]
  • certsling -s --dns to get certs from the letsencrypt staging server
  • When the previous step works, rm -rf *
  • certsling --dns to get real certs

Your certs will be in “[email protected]/“!

This worked perfectly for me. I was able to copy the -chained.crt and the .key file to my gitlab server, to have a local-only docker container registry using SSL without any workarounds. The only downside being that, it’s a manual process I will have to repeat every 3 months.

Written by Matthew Reishus.

© 2020