I am very new to certbot. I just want to ask a simple question. I'm trying to provide a certificate from certbot. I do not own a domain. I just want to use a dummy domain. But it looks like certbot only accept public registered domain? So I could not use certbot in this case right? I have to use self-signed certificate. Correct me if I am wrong.
The operating system my web server runs on is (include version):
RHEL 7.4
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0
Hi @TerryHu82, and welcome to the LE community forum
"domain ownership" may be an overstatement.
But certainly, if you own a domain you can get a cert for it.
But the opposite is not always the case.
What I mean is that even if you don't own a domain you may still be able to get a cert; So long as you can show sufficient control over that particular FQDN.
That is the case when public domains are used.
See: DDNS DDNS service providers
In short, yes it has to be a publicly resolvable FQDN (domain), but it doesn't have to be owned by you.
Thanks a lot for your quickly reply! So even if I set the IP-hostname mapping in local /etc/hosts which makes the FQDN ping success, that won't work right? (Because the FQDN check is checked on Internet, not from local, right?).
What ifI use dnsmasq or other DNS servers to set a local DNS server, this will still not work, right?
In short, for developers who want to use certbot to generate certificate, it must be:
A1. Yes* (depending on the authentication method, it may also need to be connected to [from the Internet]).
A2. Yes* (must always be from a publicly registered domain - although if using DNS auth, it doesn't have to resolve to any IP.).
I just want to supplement @rg305's explanation by pointing out that this restriction doesn't come from Certbot, but rather from the Let's Encrypt certificate authority. In turn, this restriction is applicable to every publicly-trusted certificate authority due to industry rules from the CA/Browser Forum.
So, no publicly-trusted certificate authority would be permitted to give you a certificate for a domain name that you don't control (as a globally-unique name). That is part of the meaning of obtaining a publicly-trusted certificate today—it's a confirmation that you, and typically only you, control the specific name or names included in the certificate, or are authorized to use those specific names to provide services to the public on the Internet.