Hello there! I just have a question. Is it possible to get an ssl certificate for a computer that has no access from the internet?
2 Likes
the computer that gets the cert must already have access to the internet.
after that it can be installed on the computer with no access to the internet.
Self-signed certs can also be used for internal use.
https://jamielinux.com/docs/openssl-certificate-authority/
3 Likes
Yes.
No inbound connections are necessary when using the dns-01 challenge type. The server only needs outbound access to the internet so it can reach the Let's Encrypt API servers and possibly your DNS server to publish the records unless the zone master or API endpoint is available internally.
As @jens_hb mentioned, it is also technically possible to use a second machine that has the necessary internet access to obtain the certificate and then transfer it to the first machine.
5 Likes
Note: Outbound access need not be direct. Indirect outbound access may also work.
If you can tell someone to do it for you.
And they tell someone else to do it for them.
...
And it gets done.
Then it will work.
[provided you wait long enough for it to actually get done before telling LE to check for it being done]
2 Likes
Thank you all! One more question, can i get a cert for a computer that has no domain name but only ip?
3 Likes
Not with Let's Encrypt: LE does not allow IP addresses in the certificate, just hostnames.
4 Likes
Net yet!
But there are plans for that.
Mind you, CA certs won't ever cover IPs in RFC-1918 range.
2 Likes
However, those plans have been shelved indefinitely. See for more info: Planned RFC 8738 support pulled? - #3 by josh
3 Likes
I think zerossl has that but it's not on acme side so have to use web app IIRC. keep mind it have different policy so unlikely add much other name to it without paying them
3 Likes
I've always been concerned about how to handle IP certs on shared IPs.
Surely not going to be an easy task.
How would the DNS-01 component for that even operate securely?!?!?! - LOL
2 Likes
https://datatracker.ietf.org/doc/html/rfc8738
they don't allow dns challenge on ip address, obviously
for shared hosting unless hosting provider be braindead and allow client host site on its RDNS zone, or one of client site is default page not their landing, clients won't get cert for ip
3 Likes
Then it fails to be combinable with the default user request:
I need a single cert to cover my:
- FQDN
- wildcard for FQDN
- IP for FQDN
How can those three entries ever get onto one single LE cert?
[lots of hard work will be required for sure]
2 Likes
Easy peasy with Posh-ACME. 
Each identifier in a cert order can be used with a different validation plugin. Contrived example:
$pArgs = @{
CFToken = (Read-Host 'Cloudflare Token' -AsSecureString)
}
New-PACertificate 'example.com','*.example.com','1.1.1.1' -Plugin Cloudflare,Cloudflare,WebSelfHost -PluginArgs $pArgs
3 Likes
Now we just need to make PowerShell on Linux systems as normal a thing as it is on Windows.
Maybe there is also a simple Docker container example for the fearful/paranoid (like myself).
2 Likes
This would be easy. Each identifier is associated with its own set of challenges that can validate that identifier. The wildcard name would only have a DNS challenge associated; the IP would have no DNS challenge associated. Fulfill all the challenges, and the cert could be issued.
3 Likes
The problem is that most ACME clients (including certbot) don't offer split-challenge-methods between fqdn's. You would need to verify each one, one at a time with its own challenge method, then take advantage of validation caching to combine. You could group fqdn's with a common method, usually.
3 Likes
And this can be done easily in certbot (our biggest most popular ACME client)?
2 Likes
Could you guys, please, tell what way i should go if I want to use https with a custom web server? like if I create my own http server.
2 Likes
Well if you are going to encrypt, you will need a cert.
LE offers FREE certs via ACME protocol.
There are many ACME clients that can be used on just about every operating system known to (this) man.
From there it really depends on the software that will be using the cert.
2 Likes
I would be really thankful if you suggest me to read something because i'm kind of new to this topic. I am creating a web application that works over web sockets with an app written on delphi using Indy web browser component or something like this i am not sure 
i need to go secure. Self - signed certs don't work 
it always says INVALID_CERT_COMMON_NAME or INVALID_AUTHORITY. I really need to read something on this topic cuz something didn't quite add up in my mind Thank you
2 Likes