Let's encrypt certificate without domain?

Background: Nextcloud (running on a raspberry pi) only accessible in LAN. No domain, only fixed IP. Self signed certificate automatically created on init…

Can I replace the self signed cert with a cert by Let’s encrypt without having bought a domain? While it’s no issue to buy a domain, but I won’t make the NC accessible from the internet, because (a) it contains private data and (b) I lack the knowledge to maintain it properly.


the two things are not related.
you can create an A record mynextcloud.mydomain.com to
than you can get a wild card cert for *.mydomain.com and put it on your nextcloud server.

need more details?

OK, thank you!

  1. Get an A record for raspi-XY.gibberish.org: I’d go to ionos.com e.g., purchase a domain and thus get an A record for gibberish.org. - Right? But then: How do I create an A record for raspi-xy.gibberish.org? Is this a thing of the domain name administration and I have to do that on the website of the provider (ionos, e.g.)?

  2. How do I get a wildcart certificate for the third level domain, raspi-xy.gibberish.org?

  3. While I’m at it: If you happen to know the path where I drop the certificate, drop one more line.

Well, however, thank you!

acme.sh is an easy way to get certificates. if you choose ionos as your dns provider you simply follow this usage guide.

ok. you need to read some of the acme.sh howtos also. :wink: and you should have a second raspi or virtual machine to practice a bit your acme.sh skills.

to answer your questions:

  1. there should be a web gui to create a records. a problem could be that this web gui checks if you want to use a “private” subnet. you should check this with the ionos support before you buy your domain. hetzner for example will allow any address.

  2. if you use acme.sh it’s something like:

acme.sh --issue  --dns ionos \
  -d  example.com \
  -d  *.example.com \
  1. depends which installation method (and web server) you used to setup nextcloud.

p.s.: if you use a fritz.box make sure you allow raspi-XY.gibberish.org to point to your internal network. you’ll find it under Heimnetz → Netzwerk → DNS-Rebind-Schutz. this may apply to other router as well.

if your routers doesn’t allow this you would have to run your own dns server at home. because you need to resolve DNS-Rebind-Schutz at least at home.