How can I get certificate if I have no control over a website?

Help
1

Hi,

I manage a mail server mail.example.org. I would like to use a letsencrypt certificate for the encrypted email communication. I have full control over the mail.example.org computer. This is a linux box.

In the past I used startssl and they had an email to postmaster@example.com challenge.
All the letsencrypt documentation I have read so far assumed that I want to secure a webserver and I have control over that webserver, and the challenges are designed to prove this. In the past, for another computer where I had website as well as mail server, I have used certbot and the letsencrypt process worked perfectly.

But this time the context is different. There is no website called mail.example.org, and the computer does not have an http server installed.

example.org and www.example.org both resolve to a different IP address. I have no control over that computer. Since they are different domain names, this is probably not relevant.

The IP address that mail.example.org resolves to is shared with another domain. mail.example.org:80 and mail.example.org:443 requests are forwarded to a third computer (and another company’s website is shown). I have no control over that computer.

What ways do I have to prove my control and authority of the mail.example.org domain?

I can install an http server on the mail.example.org computer and run it on some non-standard port. Would letsencrypt work with that?

Please fill out the fields below so we can help you better.
My domain is:
I ran this command: none so far
It produced this output: -
My web server is (include version): no web server at the moment
The operating system my web server runs on is (include version): Debian Jessie
My hosting provider, if applicable, is: none
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

Hi @gee,

There are three ways, called the TLS-SNI-01, HTTP-01, and DNS-01 challenges. These are defined by the ACME protocol specification.

As used by Let's Encrypt, TLS-SNI-01 requires you to receive an inbound connection on port 443, HTTP-01 requires you to receive an inbound connection on port 80, and DNS-01 requires you to make a specified change to the DNS records for the domain's zone.

From what you're described, it sounds like only the DNS-01 method would work for you. Can you make changes to the DNS records for example.org, either manually or via an API?

Also, if you could get the people who run the "third computer" to cooperate with you by setting up an HTTP forward for HTTP requests to URLs under http://mail.example.org/.well-known/acme-challenge/ so that they get redirected to any other machine that you control (or to HTTP on a different port on mail.example.org), then you can ultimately pass the HTTP-01 challenge via redirection.

3

Interesting.

The DNS records are kept with our ISP - I can request changes, but there is a delay.

I can talk to the people who maintain the third computer’s website. I like the idea to redirect to another port on mail.example.com. I will discuss this option with them.

Thanks for the suggestions.

4

A reason why they should be able to agree that the redirect shouldn’t be very harmful to them is that it’s specific to http://mail.example.org/ and need not apply to any other URLs that may be hosted there. They should also be able to set it up once and then not have to update it in the future.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.