Must use a public domain?

I am very new to certbot. I just want to ask a simple question. I'm trying to provide a certificate from certbot. I do not own a domain. I just want to use a dummy domain. But it looks like certbot only accept public registered domain? So I could not use certbot in this case right? I have to use self-signed certificate. Correct me if I am wrong.

My domain is:
php-helloworld.apps.ocp4.terry.com
I ran this command:
certbot certonly --standalone -d php-helloworld.apps.ocp4.terry.com --agree-tos -m hubin_82@126.com

It produced this output:
http-01 challenge for php-helloworld.apps.ocp4.terry.com
Waiting for verification...
Challenge failed for domain php-helloworld.apps.ocp4.terry.com
http-01 challenge for php-helloworld.apps.ocp4.terry.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
RHEL 7.4

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

1 Like

Hi @TerryHu82, and welcome to the LE community forum :slight_smile:

"domain ownership" may be an overstatement.
But certainly, if you own a domain you can get a cert for it.
But the opposite is not always the case.
What I mean is that even if you don't own a domain you may still be able to get a cert; So long as you can show sufficient control over that particular FQDN.
That is the case when public domains are used.
See:
DDNS
DDNS service providers

In short, yes it has to be a publicly resolvable FQDN (domain), but it doesn't have to be owned by you.

3 Likes

Thanks a lot for your quickly reply! So even if I set the IP-hostname mapping in local /etc/hosts which makes the FQDN ping success, that won't work right? (Because the FQDN check is checked on Internet, not from local, right?).

What ifI use dnsmasq or other DNS servers to set a local DNS server, this will still not work, right?

In short, for developers who want to use certbot to generate certificate, it must be:

  1. the VM must be able to connect Internet
  2. the requested FQDN is resolvable from Internet.

Both must be true, right?

2 Likes

A1. Yes* (depending on the authentication method, it may also need to be connected to [from the Internet]).
A2. Yes* (must always be from a publicly registered domain - although if using DNS auth, it doesn't have to resolve to any IP.).

3 Likes

Thanks a lot for your answers. I don't have more questions. Kindly close this ticket! Have a nice day!

3 Likes

Cheers from Miami :beers:
#FreeCuba

2 Likes

Hi @TerryHu82,

I just want to supplement @rg305's explanation by pointing out that this restriction doesn't come from Certbot, but rather from the Let's Encrypt certificate authority. In turn, this restriction is applicable to every publicly-trusted certificate authority due to industry rules from the CA/Browser Forum.

So, no publicly-trusted certificate authority would be permitted to give you a certificate for a domain name that you don't control (as a globally-unique name). That is part of the meaning of obtaining a publicly-trusted certificate today—it's a confirmation that you, and typically only you, control the specific name or names included in the certificate, or are authorized to use those specific names to provide services to the public on the Internet.

4 Likes