Certbot DNS problem - not using /etc/hosts

Question

I am trying to install a certificate using certbot from LetsEncrypt on a Raspberry Pi. I have installed Apache2 and created a webserver at http://subdomain.mydomain.com on the Raspberry Pi. The certbot command obtains a certificate and writes it to http://subdomain.mydomain.com/.well-known/acme-challenge/<etc.>

Background Info: I am doing this because I need a local server to address IoT devices and my Ajax calls are failing because I am not allowed to mix http with https. The IoT devices are incapable of a hosting a webserver with SSL - they use a simple http:/192.168.1.xx/<string> format

I don't want to create a DNS entry at my registrar/ISP because I am trying to create a scalable solution and creating hundreds (perhaps thousands if we do well) of subdomain entries there is impractical. Creating my own DNS server is a possibility, but I would rather just do it all on the Pi - my bash installation script will take care of everything (once I get it to work!).

I tried first to create an entry into the local hosts (/etc/hosts) file which looks like this:

   127.0.0.1       localhost
   ::1             localhost ip6-localhost ip6-loopback
   ff02::1         ip6-allnodes
   ff02::2         ip6-allrouters

   127.0.1.1       SubDomain
   192.168.1.111   subdomain.mydomain.com

This works for commands like ping, but not for nslookup or dig and definitely not for certbot. The certbot command finds my main server - DNS is configured with a * to go to my Public IP for all unknown subdomains:

  A       *         xx.xx.xx.xx //My public IP address

So then I installed dnsmasq (See: When using proxy_pass, can /etc/hosts be used to resolve domain names instead of "resolver"?) and followed the configuration options shown here: How to Setup a Raspberry Pi DNS Server

However, that doesn't work either. certbot still looks at my main (external DNS) and finds my Public (wildcard) IP. Here's a summary of the changes made in /etc/dnsmasq.conf

domain-needed ## enabled
bogus-priv ## enabled
no-resolv ## enabled
server=8.8.8.8 ## added (#server=/localnet/192.168.0.1 left as is)
server=8.8.4.4 ## added
cache-size=1500 ##increased from 150

How can I force certbot to find and use my local/private IP 192.168.1.111? Any alternative solutions using scripts/redirection?

Answer 1

Create a wildcard certificate using Let's Encrypt DNS validation. You will then have to renew the certificate manually. Otherwise, your server must be on the public Internet with correct DNS settings.

Answer 2

I finally solved my problem but I abandoned LetsEncrypt entirely. The answer was not in DNS, but in approaching it from a completely different angle. This was pretty much 95% of the solution.

Important! This only works if you have control over the browser. We do, since it is for our kiosk application which runs in a browser.

Step 1: Become your own CA

Step 2: Sign your SSL certificate as a CA

Step 3: Import the signed CA (.pem file) into the browser (under Authorities)

Step 4: Point your Apache conf file to the local SSL (the process generates .key and .crt files for this as well).