Is it possible to generate a cert for a subdomain with no DNS record?

dramatic · October 20, 2016, 9:10pm

I have set up a subdomain db.permaculture.org.nz in order to run phpMyAdmin. Our intention was to not have an A record for this subdomain, with the two people who need to access it configuring their HOSTS files. (which I guess counts as security by obfuscation).

However, Certbot refused to create the cert:

Failed authorization procedure. db.permaculture.org.nz (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for db.permaculture.org.nz

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: db.permaculture.org.nz
   Type:   unknownHost
   Detail: No valid IP addresses found for db.permaculture.org.nz

Now I could create the A record and remove it after generating the certificate, but this is a nuisance, and wouldn't I have to repeat it every 90 days to renew the cert (worse, would it affect the auto-renew of the other subdomain certs?)
Is there any alternative workaround?

My operating system is (include version): CentOS 6.8

My web server is (include version): Apache 2.4

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

TCM · October 20, 2016, 9:16pm

Use dns-01 challenge?

tialaramex · October 20, 2016, 9:18pm

There doesn’t have to be an A or AAAA record but the name must exist in DNS. You can prove control with a DNS TXT record (thus Let’s Encrypt don’t actually connect to the machine)

If you control the domain but aren’t willing to have any records for the exact name, other CAs may be able to accommodate that but Let’s Encrypt does not.

tialaramex · October 20, 2016, 9:27pm

Also keep in mind that Let’s Encrypt publishes all the certificates it signs to the Certificate Transparency logs. Some CAs today don’t do that, or will let you opt out, but certificates are public documents and anybody who sees a certificate is entitled to add it to a log. It is very possible that key trust stores will make this mandatory at some point to protect the integrity of the PKI. So you probably shouldn’t aim to keep the contents of the certificate secret.

dramatic · October 20, 2016, 11:07pm

How do I go about this? I presume that the TXT record will have to be a string that Lets Encrypt provides?

tialaramex · October 20, 2016, 11:38pm

The latest versions of Certbot or some other Let’s Encrypt clients, particularly those using bash for some reason offer to prove control through dns-01 challenges. This challenge type is the one with TXT records. You should read documentation specific to the client you’ll use. Ideally you have some way for a program to update DNS as doing it by hand several times per year will get old.

ahaw021 · October 21, 2016, 9:49am

hi dramatic

have a look at clients such as certbot or bash

Most DNS providers also have an API interface for updating txt records which you can use to help with automation

system · November 20, 2016, 10:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.