Can a LE certificate be obtained manually for a local website?

I just have a simple question; hope this is the right place. Can I get LE certificates manually, by providing CSR and SAN files? Or by downloading an LE CA certificate? Or is there some other way of getting an LE certificate that I can use for development work to apply to localhost/WEBSITENAME ? My local system is Windows, so I prefer a manual solution. Sorry I don’t quite know the right way to frame the question.

Update: I just discovered ZeroSSL. Should I use this?

There are three ways to authenticate/validate your certificate request (http | https | dns).
But only one can be used for offline systems - DNS auth.

Thank you, but I do not understand. Please explain in detail.

It seems like there are several things in play here.

(1) You can’t get a certificate for localhost. That’s absolutely forbidden by industry rules.

(2) If you want, you can get a certificate for a public name that your computer resolves to localhost (for example, using a hosts file), or that’s pointed to the IP address 127.0.0.1 in DNS. The name itself cannot be “localhost”; it must be a subdomain of a publicly-registered domain name, so it also can’t be a made-up or private/internal name.

(3) By “manual”, it sounds like you mean “without using a client application”; in this case the answer is basically no, but there is a category of web-based clients which includes ZeroSSL which might be a good choice if you don’t want to install software to obtain the certificate.

(4) What @rg305 is talking about is that, in order to obtain the certificate, you have to do something to prove your control over the domain name that you’re requesting the certificate for. Let’s Encrypt supports three such things, and only one of them can work if you’re requesting a certificate for a domain name that doesn’t correspond to a publicly-reachable server. That method requires you to make requested changes to the DNS zone for your domain. The authorization process would tell you that a specific DNS record chosen by the CA needs to be created to prove your control of the domain name, and then you would need to create that record at that time.

(5) If you’re just trying to get a certificate for a local service on your own computer or LAN, there’s often no reason to get a publicly-trusted certificate from an external CA. You can use a self-signed certificate instead without interacting with a CA at all. Publicly-trusted CAs typically only add value when people will be connecting to the service using devices that you don’t control, such as with a public web site.

2 Likes

Hi @david7364. It is not quite clear what you actually have there, but to simplify that boils down to the following use cases I believe:

  1. You have a domain name (either bought one or for example obtained from freenom) and your server is accessible from the Internet. In this case any client will work (including ZeroSSL Certificate Wizard).

  2. You have a domain name (either bought one or for example obtained from freenom) and your server is NOT accessible from the Internet. Assuming that you can control the “records” in your domain, you would need a client supporting DNS verification (ZeroSSL supports that method as well). If you can’t control your domain records, and can’t make your site accessible for the short period of when verification takes place, you’re out of luck in terms of getting LE certificate.

  3. You don’t have a domain name. In this case you can’t get LE certificate and you will need to use a self-signed certificate instead (you can generate it in one click at https://zerossl.com/free-ssl/#self for example). You can issue that for localhost, IP, etc.

I hope that helps.

1 Like

I hope everyone won’t mind a general reply (my energy is limited due to cancer treatments).

Most of you understood my use cases (the development and deployment of secure websites), and you’ve offered interesting facts. I understand that LE will not act like a standard CA, in that it will not accept a CSR and SAN and return a certificate. I also understand that even if it did, it would not issue a certificate for localhost. I gather there is some way to use the local HOSTS file to obtain HTTPS access to websites under localhost (but I do not understand the instructions that were given).

As I indicated, I have no trouble creating a simple HTTPS website under WHM on a remote Linux system. This was the use case that receives my praise. So, my only remaining problem is being able to test HTTPS features locally, under localhost on a Windows computer. I still have no idea how this might be done, even if I could figure out how to use a separate .htaccess file that would run locally instead of the remote file (I guess I could write a command file to copy the right file to the right place just prior to FTPing the files to the remote site).

I was hoping for the same simplicity and reliability in applying LE to localhost as to a standard website, but so far I’m getting the message that this is impossible. I wish this use case had been included in the LE list of tasks, in spite of the fact that for me local development is done in the much disliked Windows environment. (If someone told me that development should be done on a live remote system, I would have to disagree. Similarly if someone told me that I should install Linux on my relatively tiny local computer just for the sake of website development.)

I posted this in your other thread as well, but recreating it here in response to this post:

A quick rundown on hosts files - this is a file on your computer that is basically a local DNS lookup. It’s very simple, just a text file where you can define IP/domain lookups. On Linux systems, this is /etc/hosts, and on Windows it’s C:\Windows\System32\drivers\etc\hosts. Note that you’ll want to tell Windows to open it with Notepad, and you’ll need to be an administrator (elevated user) to save any changes. The best way is to run Notepad as an administrator an open the file.

The format is simply [IP Address] [Domain name] {additional domain names}, for example if I wanted to route fakedomain.com to localhost (127.0.0.1), I’d add the following line:

127.0.0.1 fakedomain.com

If I wanted to resolve two names, I could put those on one line:

127.0.0.1 testserver.fakedomain.com testserver

This way, I can go to either testserver.fakedomain.com or just testserver, and my computer would route this to 127.0.0.1 as though a DNS response told it to.

Okay, so let’s say I’ve got a registered domain name that I am not otherwise using. I can use WHM on my hosted Linux server to get an LE certificate for it. Done. Now, how do I use HOSTS to make use of that certificate to browse to localhost/test/index.php on my WAMP system so I can test TLS stuff?

You would have to copy the certificate (private key and public cert) to the test server.
Then update your hosts file to point to that IP for the name in the cert.
So that https://your.real.domain/ connects to IP 127.0.0.1 (or whatever IP you chose in the hosts file).

rg305, You seem to be skipping some details. Since my local server is Apache, the SSL directives are in …conf\extra\httpd-ssl.conf. For example, the SSLCertificateFile directive points to the server’s CRT file. But I’m not installing a certificate for the server, but for a specific website under localhost, a website that later will be found using the HOSTS file. Please help further if you can. Where or how do I install the certificate and private key and CA bundle?

See, it is just in such details that LE fails for local development, as far as I can tell.

Are you familiar with SNI?

The Apache server can handle many sites - you will just be adding a new site as normally done. Which corresponds to the FQDN in the cert you copied over.

And just to be perfectly clear, because you keep using LOCALHOST, there will no way to obtain nor use a cert for:
https://localhost/
It will have to have a real domain name.
You will just be redirecting the IP to the local IP.

As you are using windows, you will need to create a PFX file from the private.key and public.cert files:
(I use openssl for that)
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out YOUR.pfx

[edit] On second/third thought your using Apache - it does need PFX files.

What do you mean, “as normally done”? I’m doing this for the first time, so I don’t know any “normal” procedures. Is there a tutorial you can point me to? I see no way to add the cert for the website.

Yes, this was already explained above. I am trying to add a certificate for test.com, where “test.com” is a domain name that I own that already has its own remote website. I wish to develop for that site locally. So, even though it will be locally served at localhost/test, it will look like test.com in the browser, since test.com will be listed in the HOSTS file.

No, I am not familiar with SNI.

Then you do need a first time tutorial.
Unfortunately, I can’t recommend any.
But the Internet must have a million answer for you.
Try searching “Apache SNI how to”

And just so we are on the same page, because you still keep using the word localhost (“served at localhost/test”).
It will not be served at that location - it might be served by your “localhost” system - but not by any URL starting with https://localhost/

I hope you are wrong. If I browse to test,com when HOSTS points it to the loopback address, then the server will serve the file webroot/test/index.html on my development machine, not test.com/index.html on the remote machine.

I will try to learn SNI.

But, again, my main point is that the LE team apparently forgot to provide easy secure development access, only providing easy secure production access. All the LE supporters can split hairs about this defensively, but them’s the facts.

I agree that we did not provide an easy way to set up a private development environment on your local machine, whether with Certbot or otherwise, using Let’s Encrypt certs. We’ve probably assumed that web developers would usually be familiar with this process and that it’s comparatively difficult to automate due to the even greater heterogeneity of developers’ own machines.

When you use the hosts file to point test.com to 127.0.0.1, your system believes that it is test.com for most purposes. Therefore, you can access it as though it were test.com and it can also serve pages from Apache or another web server as though it were test.com, once Apache on your local machine has been appropriately configured with a virtual host for test.com. This is what @rg305 is referring to. We can easily get into a lot of semantic confusion about the fact that the machine isn’t really test.com from the point of view of the rest of the Internet, but in any case everything ought to work as though it were.

Thanks for everyone’s help. I think this thread should be helpful for others, too. It will be a real plus to be able to test e-commerce and other stuff that uses security locally, rather than trying to do stuff like debugging instrumentation live or in risking creating regression bugs in the live server.

If the LE project succeeds, as I expect and hope it does, then the pressure will be on standards groups to make security simpler, just as the HTML skeleton has become simpler with HTML5. Simpler security will remove a fairly large remaining obstacle to widespread adoption of HTTPS and TLS access.

Just as a tiny example, I wouldn’t be surprised if someday the prefixes HTTP: and HTTPS: would both be removed, and security would be required and even built-in, and a new default protocol name would be specified (such as HTP: or WEB:).

I added the following to the end of my httpd.conf file (Windows Apache). I haven’t tested this yet.

# Secure (SSL/TLS) connections for any secure (HTTPS) websites
<VirtualHost richardjaybrown.com:443>
DocumentRoot C:/Web/richard
ServerName richardjaybrown.com
SSLEngine on
SSLCertificateFile "C:/Main/LocalCert/richard.crt"
SSLCertificateKeyFile "C:/Main/LocalCert/richard.key"
SSLCertificateChainFile "C:/Main/LocalCert/LECA.crt"
</VirtualHost>

and the HOSTS file contains:

127.0.0.1 richardjaybrown.com

So “ping richardjaybrown.com” shows 127.0.0.1 replying?
If not, you’re not on the same box or your hosts file did not save properly.
If so, do you now see https://richardjaybrown.com/ from your localhost (and it has a nice LE signed lock)?

Yes. However, I only get an error message in the browser. As I said, I haven’t tested this yet (I need more time). Even the error message is hopeful, since previously I saw the actual richardjaybrown.com website, which works without error.

That’s good news.
Best of luck to you.