Let's Encrypt Certificate for Internal Site
Solution 1:
Let's Encrypt requires Internet connectivity, but that is needed by
the EFFISRG who run it. Certbot (which runs on your computer) communicates with Let's Encrypt to issue and renew certs and does require connectivity from your computer.A valid domain name (in the case of Let's Encrypt) is a domain you set up which can be resolved by the global DNS infrastructure - in practice this means using a bought domain name, or a subdomain related to a bought domain name (although it is possible to get free domains from some obscure registries like www.tk)
Applications need to be configured to use the Let's Encrypt keys. All that Certbot does is (a) have a set of keys which almost all browsers accept and (b) signs keys to after checking that the owner of the key is also in control of the DNS for the key that signed. While Certbot can be used with Apache/NGINX, and doing so is easy it does not require either software to run. Similarly the output of Certbot (in addition to optional configuration files if desired, but is in no way mandatory), is a signed public key. This private key, along with the private key (and any intermediate keys) Let's Encrypt typically generates for you can be used by any software you use that can use SSL, recognises Let's Encrypt as a CA and recognises the file format. This needs to be configured in the software.
What you are asking is non-sensical - if you have a root certificate you don't use Certbot. You can create your own CA infrastructure using the OpenSSL library, and if you want to make this easier there are pki tools like easy-rsa. Certbot is not a registry, its not an SSL library, it is a script to verify ownership of a domain name in a standard compliant way, and managing the certs provided by Let's Encrypt. Its not useful if you are setting up your own CA (Certificate Authority - which is what a Root Certificate is all about).
Solution 2:
- Yes, to perform any of the challenges involved in creating new certificates, and that's it.
- A 'valid domain' is just means 'not an IP address'. Let's Encrypt, like most issuers, will not use IP addresses as the subject of the certificate; it must be a domain.
- All Certbot does is create certificates for whatever domain names it sees in your apache / nginx config. You can use the apache / nginx config to enable SSL or not, or point to any other certificate. Certbot will not force your server to have SSL enabled or force it to use its own certificates. Though it can (optionally) write the config for you during the installer.
- You can make any certificate act as an intermediate if you have the private key and the optional passphrase.