Custom ACME, local internal domain


we just wanted to try out Certify the Web and found out that it doesn’t like local domains.
As we are using our own ACME server (step-ca by smallstep), we can deploy certificates for our internal domains.
Unfortunately Certify the Web says: “One or more domains specified are internal hostnames. Certificates for internal host names are not supported by the Certificate Authority”. Well, in our case it works just fine. We like the GUI and the features of Certify the Web. Is there any chance to add a checkbox for custom Certficate Authorities to allow local (any) host name?

Best regards

Thanks, yes that’s a really good point. We should just make this a setting on the CA config to allow internal hostnames. We’ll get something into the next update.

Ok, if you like you can try this patch:

You would need to extract the files then copy them into the C:\Program Files\ CertifyTheWeb folder overwriting the existing few files, then edit your C:\ProgramData\ca.json to add "AllowInternalHostnames": true to your CA config. Then, restart the Certify service and the UI.

I really appreciate your fast help. I did as you said. Replaced the 4 files from the zip-file (they were from 7th of September, is that correct?), changed the config, restarted the service and the GUI but it still says that local hostnames are not allowed.

Oops, sorry, I was so fast I didn’t wait long enough for the correct files to update. I’ve re-uploaded that patch now for you to try.

Thank you very much. It works. I was able to get a certificate for a host in our internal domain.
Great support!

1 Like

Awesome, thanks for testing, the fix will also be included in the next update.

I have the same issues.
“Certificates for internal host names are not supported by the Certificate Authority”
unfortunately the link with the solution to download does not work.
Could you upload it again?

That link is no longer current and the latest version should support this functionality. Did you try configuring C:\ProgramData\ca.json to set "AllowInternalHostnames": true ?

Note that you can only use internal hostnames with a custom CA, not public CAs like Let’s Encrypt etc (they can only validate fully qualified hostnames within a public domain).

Hello and thanks for your reply.
I searched for the file, but couldn’t find it

Ok, so you are not using a custom CA, that means you are probably using Let’s Encrypt which does not support internal hostnames for certificates. If you know you want to use a custom internal CA (such as smallstep ca) see Certificate Authorities | Certify The Web Docs

I’m not using a custom CA…
The host I would like to certify is not internal.
Using “win-acme” I have no problem with my host, while “certify” recognizes my host as internal.
“win-acme” also uses “letsencrypt”

Hi, what top-level domain are you using? Like .com or .org?

1 Like

Ah, so that sounds like a potential bug - our code checks for hostnames that have no . in the name or which end in .local and classifies these are internal names. If you can give an example hostname that doesn’t work I’m sure we can find the problem.

I’m using the “.net” TLD

There are no “.” and does not end with “.local”
info-ss-as-block-as-info.xxxxxxxx. net

Are you actually leaving a space before net?

If I enter the domain as it works OK, if I try to add info-ss-as-block-as-info.xxxxxxxx. net it will see this as two domains because of the space in the name and add them as two entries info-ss-as-block-as-info.xxxxxxxx. and net. net would then be interpreted as a local host name.

Please note that domains/hostnames cannot contain a space.



No, there is no space before “.net” it was just a typo here in an attempt to censor my domain.
I don’t want it to be public.
Could it be a problem of maximum characters that the program accepts?
the name I’m trying to validate is this:” is my domain name

It’s unlikely to be character length, can you email support {at} with details of the problem and the actual real domain to test with, we can then discuss it via email.

OK thanks for the support.