Getting a cert for subdomain that is not available via HTTP?

I’d like to be able to add certificates for some of my sub-domains that do not have HTTP (for example, lets say I want a cert for SFTP).

Obviously, wildcards will solve this, but I don’t know when they are arriving.

Hi @LwsBtlr,

Many clients (including Certbot) support a “standalone” feature that creates a temporary web server that only exists for the time of the CA validation (including re-creating it temporarily for certificate renewal). This does still require you to be able to receive inbound connections on port 80 (for example, not having it blocked by a firewall or something), but you don’t have to have an existing or full-time web server. In Certbot, you can do this by running certbot --standalone and specify the domains you want (which should already be pointed at the server where you’re running Certbot) with -d options.

If you can’t receive inbound connections, there is also a DNS validation method, which works best if you have access to an API that you can use to programmatically create records in your DNS zone (or, if you prefer, in some other DNS zone that can be pointed to by certain long-lived CNAME records that exist in the main DNS zone(s)).

I think it’s hard to use Let’s Encrypt certificates out-of-the-box for SFTP because it isn’t a TLS-based service, so there’s no way to present an X.509 certificate in the SFTP protocol (as opposed to the FTPS protocol, which is TLS-based). But you can definitely use Let’s Encrypt certificates for non-HTTPS protocols that use TLS for security.

SFTP was just an example of something that might’ve a subdomain and needs a cert.

if I have and that has no HTTP on it, I can’t get a cert for it, or if I can, I don’t know how. Adding it to domains.txt fails.


Have you tried the certbot manual --dns plugin??

Thank you

As @schoen said, if can’t accept HTTP connections, you can use DNS validation. dehydrated (which I’m guessing you’re using since you mention domains.txt) supports DNS validation, but it’s really only a viable solution if your DNS provider has an API that allows you to automate the updates.

If you just don’t have an existing HTTP service, you can use certbot --standalone -d

If you have no ability to reach that host on port 80 (for example because of a firewall blocking port 80), then you would have to use the DNS method instead, where the automation details then depend on who your DNS provider is (because they have different APIs, or sometimes no API at all).

Ah, right, I see now. I forgot about DNS validation. (I am my own DNS via Bind 9.12).

(for some reason I only saw the later reply and not schoen’s reply… certainly a PEBKAC issue :slight_smile:)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.