Can I create a certificate for a domain that is not yet set up on our server?


#1

Before I obtain an LE certificate for a new domain, I have to first set the domain up up in Apache in a .conf file, restart Apache, test that the domain is working (for a website), then issue the following command with Certbot:

certbot certonly --webroot -w /home/www/mywebsite -d domain.com

Then I go back into the .conf file to add all the SSL lines needed for that domain, then restart Apache again.

Is there a way to bypass the first step and simply get a certificate for the domain without having to have the domain actually working on the server yet? Or are both steps required to get a certificate?

Thanks!


The operating system my web server runs on is (include version): CentOS 7.6

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site: No

The version of my client is: Certbot 0.2.1


#2

Yes; This should work:

You can confirm the result with:
certbot certificates

Yes, with DNS authentication.
You can even get a wildcard cert (which have no actual resolvable name nor IP).

You can also setup DNS to point to your server, NOT setup a conf to cover that name.
And assuming your web server will serve it from the default conf, you can use that as the authentication point for webroot.


#3

Looks like that is missing a digit…


#4

I’m confused. Are you saying I can issue the exact same Certbot command shown in my original post for a domain even though it’s not set up yet on our server or with Apache?

What is DNS authentication?

I’m not sure what you mean, is there an example of this you can point me to?

Yes, it should read 0.29.1, but the forum software won’t allow me to edit my original post.


#5

Hi @MontyHu

If you want to use http-01 - validation, you need a running webserver. But Certbot has an option to create a temporary webserver (if port 80 is free), so you don’t need to configure an own webserver.

So you can use the --standalone option.

The dns-01 - validation doesn’t use a webserver. Instead, you have to create a special dns txt entry

_acme-challenge.yourdomainname.com

with a special value. Then Letsencrypt checks if this txt entry exists.

But if you want to use (and automate) that, your dns provider should support an API.

More informations:


#6

Thanks for the explanation.

I have my own web server and use BIND on that server for all DNS, but I have no idea if what you suggest about an API will work with this setup, although even if it did, I don’t think I’d be able to figure out how to set it up. :slight_smile: This is all a bit over my head.

I guess I should just continue to do the two-step process I explained above.


#7

Certbot has some DNS-plugins:

There

https://certbot-dns-rfc2136.readthedocs.io/en/stable/

is a BIND-sample.

Or check acme.sh, that’s another client with a lot of dns plugins.