2

I'm trying to set up a HTTPS certificate for mymachine.cs.superuniversity.ca (free or paid). Before I jump in, is it even possible to set up such a certificate using Let's Encrypt?

The domain is for a very simple http server to host some HTML, CSS, and Javascript.

XoXo
  • 121
  • 2
  • 3
    I'm not sure what your problem is here exactly. If you are trying to get a certificate for a domain you own then you should be able to get a certificate from Let's Encrypt, even if the site itself is very simple. If you don't own the domain you should not be able to get such a certificate. – Steffen Ullrich Jun 04 '18 at 18:14
  • thanks for the reply. My domain is actually a university machine: `mymachine.cs.superuniversity.ca`. Is it possible to apply a certificate using Let's Encrypt? – XoXo Jun 04 '18 at 19:13
  • 1
    This answer seems relavant: https://security.stackexchange.com/a/121187/149355 – XoXo Jun 04 '18 at 19:18
  • @SteffenUllrich i'm seeing this error per [this answer](https://serverfault.com/a/812038/245732): `Failed authorization procedure. mymachine.cs.superuniversity.ca (dns-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mymachine.cs.superuniversity.ca`. Does that mean i need to ask the records on the university's DNS server to be updated for it to work? – XoXo Jun 04 '18 at 19:30
  • 1
    You need to either have an public visible web server under your control or you need to have the DNS settings for the domain under you control. If none of this is the case it is assumed that you don't really have control of the domain in which case you should not be able to get a certificate for this. If you have the web server under your control but not the DNS simply don't use the DNS challenge for Let's Encrypt. – Steffen Ullrich Jun 04 '18 at 19:40

1 Answers1

1

Short answer: yes, if you control a web server under that domain name, and Let's Encrypt external bot can access the web server, or if you control DNS records for that domain.

The DNS validation may be tough (you probably do not control the DNS server, and it may be administratively challenging to obtain the necessary DNS records). So your other option is to use HTTP validation. Citing Let's Encrypt "How It Works" article:

These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

Provisioning a DNS record under example.com, or Provisioning an HTTP resource under a well-known URI on https://example.com/

If you need to do so for an Intranet-only domain, you can setup a temporary/dummy web server for certificate generation purposes, and bring it up only when renewing the certificate. I suggest just buying a public domain and getting a certificate for that domain, and pointing it to the internal IP address. Please note that doing so may expose internal IP addresses, and you should do that only after a risk assessment and after getting an approval from the university.

Milen
  • 1,203
  • 8
  • 12