Proof-of-control from parent domain


#1

Hi,

I’m part of a big company with a root domain : mycompany.com
Inside this company, there are many hostnames, not reachable from internet. For instance, a developper’s machine is named machine_name.mycompany.com.
We are developping mobile webapps with http2 and we need to test them from an iPad. The iPad connects to the developpers machine. Unfortunatelly, since we cannot install a Cert Authority on the iPad for safari to use it, we have to get a valid signed certificate for every developper’s machine for the iPad to trust the service runing on the dev’s machine.
It is not possible to give the company’s wildcard to every developper neither to buy one certificate for every machine.
I saw letsencrypt as a solution until I found out that the subdomain should be accessible from the internet using http for proof-of-control.
Is it possible to get a proof-of-control for a subdomain from the parent domain that runs an http server ?

Thanks


#2

At least someone has managed to install corporate CA certificates onto a iPhone or iPad?

But even if that’s not possible: you’re saying the HTTP server of the parent domain can serve content for the subdomains? If so: it’s very well possible, indeed. Run the client in manual mode and set your parent domain HTTP server up in a way the challenge for the specified subdomain is specifically accessible on that subdomain and you should be good to go. Keyword here is manual mode :wink:


#3

Indeed it is possible to install certificate on iOS devices but not in the system keychain which is the only one used by safari. Therefore, safari cannot see manually installed certificates.
The http server of the parent domain does not serve for subdomains.
Moreover, as subdomains are not registered in my company’s public bind9 configuration, those subdomains are not visible from outside the company.


#4

Any news on this ? Thanks


#5

I don’t think this is possible: Let’s Encrypt needs proof you have control over those subdomains. Having just the parent domain isn’t enough. If those subdomains aren’t accessible from the WWW, how should Let’s Encrypt know you own them?


#6

Is there concrete examples where parent domains’ owner have no control on subdomains ?
Maybe I’m missing something here. I remember buying a certificate for a subdomain at Comodo with proof-of-control on the parent domain.


#7

I’d like an answer too.

I’ve got a different use: automated devices behind NAT.

Let’s say I make a printer or nas box or an network-controlled-toaster. I (manufacturer) owns toasters.com and sells toasters in a shop.

When customer plugs his toaster into network, it would register itself on toasters.com and become device123.toasters.com; toasters.com will publish an A entry pointing to device address in LAN.

toasters.com can make any requires set up on letsnecrypt in advance.

Could such device possibly get certificate from Let’s Encrypt or is that clearly outside of issuance policy?


#8

Note that private ip addresses SHOULD not appear in the public DNS, and that some ISP filter them.

Moreover, you should consider using dns-01 validation that do not require any device to be reachable from the internet.
dns-01 validation is currently implemented in some alternate clients such as letsencrypt.sh.


#9

Thanks, Nit;

DNS validation makes perfect sense for this use-case!