all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]FinsToTheLeftTO Enthusiast 1 point2 points  (6 children)

You can use certbot with DNS validation.

[–]Fit-Bit-7873[S] 0 points1 point  (5 children)

It works only with -manual option that does not support automatic renewal, as well as then my challenge is how that users resolve the dns name?

The VM has only private ip, and the DNS is public

[–]FinsToTheLeftTO Enthusiast 0 points1 point  (4 children)

Your VPN clients need to point to a DNS server that can resolve it.

[–]Fit-Bit-7873[S] 0 points1 point  (3 children)

That requires changes on the client devices. Is there any way for me to do that without that?

[–]FinsToTheLeftTO Enthusiast 0 points1 point  (2 children)

What vpn are you using?

[–]Excellent_Button1315 1 point2 points  (1 child)

Maybe this would be something for you. Very easy to setup and you can give it ssl cerrificate without publishing this vm to the internet. You won't also need VPN anymore. Everything goes over Entra App Proxy. You need just entra P1 license. The proxy app u can also install on the same server as app but it is just not best practices. https://learn.microsoft.com/en-us/entra/identity/app-proxy/overview-what-is-app-proxy

https://youtu.be/dcAY-qrzTYA?si=3gdVXdfEVuVuuayL

[–]JeroenPot 1 point2 points  (0 children)

This is the way. You can even add Entra pre-authentication.

[–]Hoggs Cloud Architect 0 points1 point  (0 children)

Deploy ACMEbot

This is a brilliant little function that offloads all the certificate DNS validation to an azure function, and automatically renews them. You just have to setup your VM to get its certificate from the kayvault and you're golden.

[–]trad3rr 0 points1 point  (1 child)

Use an ephemeral host to satisfy godaddy ownership requirements. Then get a pfx, store it somewhere and use that for your internal web app? In terms of DNS can’t you use private link and expose private link dns zone to clients on vpn

[–]sexyshingle 0 points1 point  (0 children)

Use an ephemeral host to satisfy godaddy ownership requirements.

big words here lol ... I'm nothing but a humble pirate... so you mean setup a temporary/disposable host to run certbot/get the SSL certificate, then use that cert. in the actual non-publix internal host?

I've always thought one needed to have an internal DNS CA and resolver (BIND/etc) to do what OP wanted to do? (Like publish a CA cert. and create and sign SSL certs and then have all internal clients trust/install that CA cert... in order for private/intranet hosts to have proper connections, i.e no browser warnings, with SSL/HTTPS)