0

I have several servers under domain myorg.example.com. For example git.myorg.example.com. I am planning to start using certificates provided by Lets Encrypt for these servers.

Most of these servers are for internal use only and I don't like opening port 80 to internet for using HTTP-01 challenge. My DNS provider does not support DNS-01 challenge and switching to new provider is not possible right now.

I am wondering if following setup is possible:

  • Creating server at domain myorg.example.com and opening its port port 80 to internet.
  • Using myorg.example.com as centralised certificate server and doing all certificate generation there and pushing new certs and keys to other servers using script.
    • Can I get Lets Encrypt certificate for git.myorg.example.com using myorg.example.com? Is control of upper level domain enough proof for getting certificate for subdomain?
Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Madoc Comadrin
  • 570
  • 4
  • 11
  • 29
  • 2
    No, it is not. You can, however, use a DNS challenge where the challenge record is a `CNAME` to another domain (including a subdomain of your existing domain). The target of the `CNAME` can be with a DNS provider that does support challenges. – tater Dec 10 '20 at 12:41
  • Why is a wildcard cert not a good solution (`*.example.com` or `*.myorg.example.com`)? It's not that hard with `certbot`. – bitinerant Dec 10 '20 at 18:29
  • @bitinerant You need to use DNS challenge to get a wildcard certificate, AFAIK – Michael Hampton Dec 10 '20 at 18:39
  • I will look into using `CNAME` like suggested. – Madoc Comadrin Dec 11 '20 at 12:56

0 Answers0