Getting an ssl certificate

Hello there! I just have a question. Is it possible to get an ssl certificate for a computer that has no access from the internet?

2 Likes

the computer that gets the cert must already have access to the internet.
after that it can be installed on the computer with no access to the internet.
Self-signed certs can also be used for internal use.
https://jamielinux.com/docs/openssl-certificate-authority/

3 Likes

Yes.

No inbound connections are necessary when using the dns-01 challenge type. The server only needs outbound access to the internet so it can reach the Let's Encrypt API servers and possibly your DNS server to publish the records unless the zone master or API endpoint is available internally.

As @jens_hb mentioned, it is also technically possible to use a second machine that has the necessary internet access to obtain the certificate and then transfer it to the first machine.

5 Likes

Note: Outbound access need not be direct. Indirect outbound access may also work.

If you can tell someone to do it for you.
And they tell someone else to do it for them.
...
And it gets done.
Then it will work.
[provided you wait long enough for it to actually get done before telling LE to check for it being done]

2 Likes

Thank you all! One more question, can i get a cert for a computer that has no domain name but only ip?

3 Likes

Not with Let's Encrypt: LE does not allow IP addresses in the certificate, just hostnames.

4 Likes

Net yet!
But there are plans for that.
Mind you, CA certs won't ever cover IPs in RFC-1918 range.

2 Likes

However, those plans have been shelved indefinitely. See for more info: Planned RFC 8738 support pulled? - #3 by josh

3 Likes

I think zerossl has that but it's not on acme side so have to use web app IIRC. keep mind it have different policy so unlikely add much other name to it without paying them

3 Likes

I've always been concerned about how to handle IP certs on shared IPs.
Surely not going to be an easy task.
How would the DNS-01 component for that even operate securely?!?!?! - LOL

2 Likes

https://datatracker.ietf.org/doc/html/rfc8738

they don't allow dns challenge on ip address, obviously

for shared hosting unless hosting provider be braindead and allow client host site on its RDNS zone, or one of client site is default page not their landing, clients won't get cert for ip

3 Likes

Then it fails to be combinable with the default user request:

I need a single cert to cover my:

  • FQDN
  • wildcard for FQDN
  • IP for FQDN

How can those three entries ever get onto one single LE cert?
[lots of hard work will be required for sure]

2 Likes

Easy peasy with Posh-ACME. :stuck_out_tongue: Each identifier in a cert order can be used with a different validation plugin. Contrived example:

$pArgs = @{
    CFToken = (Read-Host 'Cloudflare Token' -AsSecureString)
}
New-PACertificate 'example.com','*.example.com','1.1.1.1' -Plugin Cloudflare,Cloudflare,WebSelfHost -PluginArgs $pArgs
3 Likes

Now we just need to make PowerShell on Linux systems as normal a thing as it is on Windows.
Maybe there is also a simple Docker container example for the fearful/paranoid (like myself).

2 Likes

This would be easy. Each identifier is associated with its own set of challenges that can validate that identifier. The wildcard name would only have a DNS challenge associated; the IP would have no DNS challenge associated. Fulfill all the challenges, and the cert could be issued.

3 Likes

The problem is that most ACME clients (including certbot) don't offer split-challenge-methods between fqdn's. You would need to verify each one, one at a time with its own challenge method, then take advantage of validation caching to combine. You could group fqdn's with a common method, usually.

3 Likes

And this can be done easily in certbot (our biggest most popular ACME client)?

2 Likes

Could you guys, please, tell what way i should go if I want to use https with a custom web server? like if I create my own http server.

2 Likes

Well if you are going to encrypt, you will need a cert.
LE offers FREE certs via ACME protocol.
There are many ACME clients that can be used on just about every operating system known to (this) man.

From there it really depends on the software that will be using the cert.

2 Likes

I would be really thankful if you suggest me to read something because i'm kind of new to this topic. I am creating a web application that works over web sockets with an app written on delphi using Indy web browser component or something like this i am not sure :slight_smile: i need to go secure. Self - signed certs don't work :frowning: it always says INVALID_CERT_COMMON_NAME or INVALID_AUTHORITY. I really need to read something on this topic cuz something didn't quite add up in my mind :slight_smile: Thank you

2 Likes