Authenticate subdomain with primary domain

The subdomain I’m trying to create a certificate for is for internal use only. It’s not in the public DNS, only local. I want to authenticate by placing a file on the primary domain, but I don’t see an option for that and can’t find documentation about it.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: subdomain.domain.com

I ran this command: sudo certbot certonly --manual

It produced this output:

Create a file containing just this data:

[…]

And make it available on your web server at this URL:

[http://subdomain.domain.com/[...]]

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

Please specify the actual domain names.

I believe that in this case the only possibility is to use DNS-01 challenge type - this is because proving control over webserver at example.com does not mean that you should be able to get certificate for verysecure.example.com. Proving control over DNS is considered a "stronger" form of validation.

Other option would to use some split-horizon configuration, where in external version of DNS zone you point your internal to webserver of your primary domain and in internal DNS zone you keep it pointed to some internal address.

1 Like

Thank you. I wasn’t aware that controlling the entire domain is not enough proof of control over the subdomain. Uploading a file there would have been easier, but I can work with the DNS-01 challenge and I see how it’s a better authentication.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.