I hope this question makes sense, its not something i've needed before.
A whitelabel software provider I am working with requires from me, an SSL certificate for my domain that they'll use to host my whitelabel setup.
I'm familiar with running certbot on my own hosted websites and servers, I tend to use the command sudo certbot --apache -d example.com and this will install the certificate and practically do all the setup for me.
I'm also familiar with a DNS setup where I get 1 or more records, usually when I do a wildcarded subdomain.
But the team at my whitelabel software support desk have advised that I need to provide an SSl certificate for my domain, (as opposed to them just doing it their end and sending me the CNAME records etc...)
Does anyone know what I need to do, in order to generate an SSL certificate, to give to them?
I'll also need to provide the private key
I wont actually be hosting the whitelabel myself which is what confused me, I need to provide a cert for something I am not hosting.
Am I over thinking this - can I just spin up a web server, temporarily point the A records to it, set up letsencrypt for that server, and then somehow find the certificate and keys , give them to them, and then change the DNS to point to the white label?
The easy way is for them to be performing http-01 validation themselves.
If you want to use dns-01 and get a certificate that way, you can, by running the acme client wherever you want. But you'll have to send them a new certificate keypair every 60-90 days. And that's bullshit.
A request like that would be enough to make me reconsider this whitelabel provider.
Yes, while the DNS challenge might be easier in this case you could also use certbot standalone authentication as you describe. You would not need to configure a web server.
But, I agree with @9peppe that I would reevaluate the white label service. If they can't manage or provide for getting certs for sites they host then what else aren't they doing?
Thanks chaps. I've done the DNS and got the certificate so i'll see what they say. Agreed will look at a new provider as changing the certificate every 90 days is rediculous
I mean, at my day job, for whitelabel providers hosting things for us we'll have them provide us a CSR and we'll go get the certificate, because then they keep the private key on their server but we own the domain name and do the authentication (and we use OV certs for everything). Having your provider ask you to send them the private key they should be using seems really bizarre, and that perhaps there was a breakdown of communication at some point.