I dont know shit and will pay for help

i need certificates for iis azure stack hub ISNT THE SAME AS AZURE
Generate certificate signing requests for Azure Stack Hub - Azure Stack Hub | Microsoft Learn

i need them for otsmartrecording.net
the region is global

it creates a lot of csr for websites that doesnt exist

so usually its adminmanagement.global.otsmartrecording.net and so on

crt.sh | otsmartrecording.net

in the past they have been created and i dont know how they have been done if the domains are registered but inexistent

i need help, i have been asking and cant find anything useful, ill pay for help, they are urgent

1 Like

Some of what's showing on crt.sh may be Cloudflare automatically ordering certs (they have a split between Let's Encrypt and Google Trust Services for that).

Generally if you need a cert for a domain that doesn't serve a public website then you'll be using DNS validation, so that involves using an ACME client to update an _acme-challenge TXT record for each domain/subdomain - there are lots of possible tools, but if you are specifically using Windows then it will most likely be Certify The Web, win-acme or Posh-ACME.

I don't know Azure Stack Hub at all, so can't help with that. Maybe you have some sort of internally developed API integration with that.

2 Likes

You should also look into Azure own certificate support as they can issue certs internally for most of the azure services, removing the need for custom workflows.

3 Likes

if i put the _acme-challenge.adminmanagement.global.txt will it work in the otsmartrecording.net dns record, and pass the dns 01 challenge even if it doesnt exist?
and how can i order a cert from lets encrypt via cloudfare?
thanks

1 Like

If the correct record doesn't exist, you will not pass the challenge.

You can't. Cloudflare automatically orders Let's Encrypt certificates when it needs them.

If you are asking about how to use Cloudflare nameservers with a DNS-01 challenge, the answer depends on your ACME client. You really need to start with the client.

5 Likes

"via CloudFlare" is a somewhat vague description.
Despite popular belief they do more than just one thing - LOL

If that is to be taken to mean "as a DSP", then it would apply.
If that is to be taken to mean "as a CDN", then it may not apply.
If it was intended to mean anything else... then all bets are off!

5 Likes

I'm still a bit fuzzy on what you're looking to do exactly but I think:

  • You have existing CSRs for a bunch of domains that are somehow serviced via Azure Stack Hub and you are trying to generate corresponding certificates.
  • You are using Cloudflare for your DNS
  • You want to specifically get certificates via Let's Encrypt
  • I'm assuming you normally work on Windows OS, not linux.

You could probably use something like Certify The Web to order a cert for a CSR (New Certificate > then under Advanced, Signing and Security choose your custom CSR), then under Authorization configure DNS validation using Cloudflare and a cloudflare API key. However, this can be cumbersome if you are setting up a lot of domains (there are advanced options for scripting config though). It could be worth it as an experiment to see if it works for what you need.

As an alternative, how about Posh-ACME (powershell): https://poshac.me/ they have an option to load a CSR as part of the order: docs/v4/Functions/New-PAOrder/ - they also have a Cloudflare DNS provider plugin. If you can get it working for one then you can probably get it working for all of them. Keep in mind that if you have many subdomains there is a Let's Encrypt rate limit of 50 certs per week per domain and that includes requests for subdomain certs on the same domain.

Could you use a single wildcard certificate for *.global.otsmartrecording.net instead of managing lots of individual certs?

The general process for ordering a cert from Let's Encrypt is to use an ACME client (there are hundreds of possible ones) to:

  • create an ACME certificate order using your custom CSR
  • use http validation or dns validation to prove you still control the domain, as these aren't public websites then you'll be using DNS validation. DNS validation adds/updates an _acme-challenge TXT record with a new value for each cert renewal which Let's Encrypt then checks to prove you still control that domain. This process is dependent on using an ACME client that can talk to your DNS provider (cloudflare).
  • once domain validation is complete the ACME client can complete the order and download the cert, the file format for which will vary.
  • You then need to deploy your cert however you need it (does Azure Stack Hub expect a certificate upload or can you script it?)
5 Likes

the thing its that this other websites doesnt exist, only otsmartrecording.net, the other ones are registered but inexistent

1 Like

Not a problem since certificates are (usually) only issued for registered domain names and/or their subdomain names and not websites. A website is not required to acquire a certificate.

7 Likes

Why do you need a cert for these?

4 Likes

they are used in a intranet

1 Like

how do i do it?, because everytime i try to get them it says that need to check dns records for that website or access to one of his ports

1 Like

A website doesn't have DNS records. A domain name has DNS records. If you have a domain name registered, you should have access to the DNS zone (records) for that domain name. To acquire a certificate, you'll need to fulfill a DNS-01 challenge for each domain name and subdomain name that you want your certificate to cover, which involves adding a special DNS text (TXT) record for each such domain name and subdomain name to the DNS zone(s) for those domain and subdomain names. These special records are provided by whichever ACME client software you use. Some of these softwares can add the records to your DNS zone(s) for you if you provide access for them to do so.

6 Likes

i dont have access to the dns zones, everyone keeps insisting they can be done without any type of access

1 Like

With no website (or, rather, webserver) for completing HTTP-01 challenges and no DNS access for completing DNS-01 challenges, I don't know how you're going to prove control over the (sub)domain name(s).

5 Likes

Yes, typically, for a public web site, but no for a private intranet site.

1 Like

Whomever told you that did not quite understand what they were saying. As others have indicated, you just need access to the web server for PUBLIC web sites, but for internal-only web servers you need to either (a) make some kind of web server publicly available to answer a HTTP-01 challenge or (b) put the appropriate records in your external DNS for DNS-01 challenges.

I have been peripherally involved with people that get LE certificates for internal web servers. There are no A or AAAA records on their external DNS for these servers, but they do have _acme-challenge CNAMEs that point to a subdomain just for ACME validation. The internal web servers have the ability to add and remove the correct TXT records in that subdomain. There's really no other way to do it.

3 Likes

Is it possible/likely that all the previous certs you may have acquired were from an internal certificate authority (not Let's Encrypt)? Example internal CA services include Active Directory Certificate Services, smallstep etc.

If this isn't really making sense I'd advise outsourcing the work to someone who specializes in azure stack hub configuration. I don't think anyone here really uses it.

3 Likes

how can i do that?

1 Like

i tought so but when i said that i got the certificates to see that they were, in fact, made by lets encrypt

also you can see here they were created by them

crt.sh | otsmartrecording.net

1 Like