Certificate for a third-party web host using CSR


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:events.devilslakend.com

I ran this command:n/a

It produced this output:n/a

My web server is (include version):Apache2

The operating system my web server runs on is (include version):unknown

My hosting provider, if applicable, is:unknown

I can login to a root shell on my machine (yes or no, or I don’t know):idk

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):idk

I work for an ISP, and one of the services that we offer our customers is web hosting. We adopted the Let’s Encrypt method of SSL over a year ago, and it has been fantastic.

One of our customers is using a third-party app server, hosted elsewhere, for their event calendaring system. They refuse to try to use Let’s Encrypt, and rather have sent me a CSR for the site.

Is there a way to implement Let’s Encrypt starting with a CSR? Or do I need to get one from a different CA?

Thanks


#2

Yes, it’s possible. However, not ideal, as you’ll need to undergo a manual procedure every couple months to renew the certificate as they only last 90 days. The simplest method would be to use an online service like ZeroSSL to get the certificate. However, in order to do so, you would either need to control the domain’s DNS records, or place a specific file in /.well-known/acme-challenge/ in their web root directory.

I think your customer has a fundamental misunderstanding of your role in this process. You’re not a certificate authority, or at least you’re not serving as one in this instance. Whoever is requesting a certificate needs to prove ownership of the domain in question to a certificate authority, and since (as far as I understand in this context) you do not control events.devilslakend.com, you would not be the one who should be requesting these certificates. Instead, your customer should be uploading that CSR to ZeroSSL and performing the challenges.


#3

Let’s Encrypt (and the ACME protocol) use CSRs internally for the issuing of certificates. So yes, this is possible. It depends however on the client application used on how a user can implement a separate CSR.

However, in what capacity are you as a company involved in the management of a third party server? I’m sure that third party server has a different hosting provider. Why does the customer appeal to you for this certificate?

Also note that it really doesn’t matter what extra information the customer added to the certificate (such as Company, Country, City, that sort of stuff), Let’s Encrypt only extracts the domain names, the public key and some options (currently only Must Staple, if present). So the actual use of a separate CSR is mostly restricted to situations where a very specific public key has to be used.


#4

Thanks for the responses. I will try to explain the situation more thoroughly.

We host the base websites for the domain devilslakend.com (www.devilslakend.com, tourism.devilslakend.com, relocate.devilslakend.com, etc.) other than one: events.devilslakend.com, which is hosted by a company named Localist, which specializes in marketing crap. (:smile:)

We also host the DNS service for the entire domain (not to mention e-mail).

My customer (the local Chamber of Commerce, the owner of the devilslakend.com domain) does not understand SSL. The person I am dealing with only understands that she cannot make any changes to her events site any more, as SSL is required via the Facebook interface to update it. So, she’s stuck and looking for help. Which is what I am trying to provide to her.

Now, the Localist people (who host the events.devilslake.com site) probably do NOT understand letsencrypt. And they don’t want to be burdened with dealing with the cost and complexity of SSL, other than installing the cert that is provided to them by the customer (which, since the domain owner has no idea how to do this, will fall on us, their hosting provider for the other parts of their domain).

I truly don’t believe that they have done any investigation into letsencrypt, or we wouldn’t be having this discussion. So, I am trying to find a way to use letsencrypt in the old way, with CSRs, intermediate, and certs that they can put on their server. If that means we need to do this every three months, maybe the inconvenience will cause them to look into it further, and eventually automate it themselves. The other option is for the customer to purchase a traditional cert (meaning, I will be doing all the legwork and charging them), and using a year-long cert from a different CA.

Advice?


#5

In this case, you could definitely use something such as ZeroSSL (linked above) to handle this. That’s one of a few browser-based clients to use Let’s Encrypt. You seem to understand the caveats, and are in a position to prove control over the domain (in the same way that any hosting provider would be) since you manage the DNS. In this case, you would want to make sure to select the “DNS” method of authentication. For events.devilslakend.com, this will require creating a TXT record for _acme-challenge.events.devilslakend.com, with some specific contents. Once you do so and the challenge is validated, you will be provide the certificate and intermediate, which can be provided to the third party for installation on their system.


#6

Oh, perfect! zerossl.com is absolutely the answer.

Thanks for the help, everyone! I truly appreciate it!

Alex


#7

Hi @alexmoen

perfect? If you manage the dns entries, are you able to create new dns entries per script / API or something else?

Install a certbot (or acme.sh), then this client can create a new order, change the _acme-challenge - txt entry, use the CSR and send a mail with the certificate.

So you don’t need a manual interaction with zerossl.


#8

A “manual” process at each renewal (60-90 days).
You would need to charge for your time.
Or somehow develop software to automatically accommodate this single clients needs.
[not worth the effort - IMHO]


#9

Did you read the thread? I CANNOT INSTALL CERTBOT. I don’t have control of the server, it’s a third-party service that my customer is using. So, in this particular instance, zerossl.com is indeed a workable solution.

I use certbot on all of my other domains, including the other subdomains that this particular customer has. This is a good compromise between no cert and a traditional 1 or 2 year cert and the expense.


#10

I will just deal with it every couple of months. I agree that it’s not worth the effort to automate at this point, for one instance of the problem.


#11

You can use your local Certbot with --preferred-challenge dns certonly.

Not the certbot on this other system.


#12

And the customer provided CSR.