I have Symantec Bluecoat Proxysg and I can create CSR from it. Is it possible to get it signed from Lets Encrypt?
I have gone through ways to create SSL certificate in LE but those need DNS or HTTPS validation which is not possible here. How can i get CSR (from Symantec ProxySG device) signed by LE?
Hi @unmesh,
It isn't possible to issue a certificate for a domain name that you aren't able to validate with either HTTP-01, DNS-01 or TLS-ALPN-01.
Depending on the content of the CSR it may be possible to use an ACME client to issue a Let's Encrypt certificate using that CSR, but only after passing one of the above domain validation challenges.
Can you help explain why none of the above validation methods are possible?
Hello @cpu
Thanks for response.
We have environment where we have Symantec ProxySG device which communicates with external domains. Now LE SSL certificate trusted by majority so if I create CSR from proxy device and LE can sign it. Proxy can communicate with external domain with this CA.
We have AD and DNS server.I can add one Linux server. How can I validate our domain by any of the above method? Is there any way I can do that? We are not hosting any website. Proxy device as a client connect with external domain (act as server) Please help.
This is not possible.
You can’t get valid certificates for domains you don’t control, neither from Let’s Encrypt nor from any other publicly trusted CA. Furthermore, Let’s Encrypt certificates can’t be used to sign other certificates.
Those proxy devices are intended to be used with a private CA that is internal to your organisation.
1 Like
@jmorahan is correct (thanks!) - there's no way to achieve what you want using Let's Encrypt certificates (by design).
I have control on domain. We are owning it. But its internal domain created on AD which is not accessible\exposed to Internet.
So do you mean for a internal domain I cannot get certificate from LE or any other public CA. Domain must be accessible from Internet for validation for LE or any public CA.
Again, my understanding of how that device works is that it needs a certificate that can sign other certificates, which you can’t get from Let’s Encrypt whether you control the domain or not. But yes, what you said is also correct: if you want to obtain a Let’s Encrypt certificate (or any publicly trusted certificate) for one of your own domains, the domain must be accessible from the Internet. (Which is to say: you must be able to control the public DNS records for the domain, or the servers that they point to must be publicly accessible and under your control).
Of course, even if you could get a valid certificate for your AD domain, it would only be valid for connections to that domain. I’m not sure if that’s what you’re hoping for.
Hi @Unmesh
what's your domain name? Share your domain name and share the created CSR.
If the domain name is worldwide unique and if the domain name ends with a public suffix, you should be able to create a certificate via dns-01 validation.
So this
may be wrong.
http-01 challenge -> webserver is required.
dns-01 challenge -> only a dns entry is required.
@JuergenAuer
Thank you.
Domain name: *.rb.net
May I know where to send CSR? or shall I upload it here?
That looks good. Checked via https://check-your-website.server-daten.de/?q=rb.net
There is no ip address defined:
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| rb.net | A | yes | 1 | 0 | |
| AAAA | yes | ||||
| www.rb.net | Name Error | yes | 1 | 0 |
The www version doesn't exist, but the non www version is ok. You see, there is no "Name Error".
The name servers:
Domain Nameserver NS-IP
www.rb.net
• a4.nstld.com
rb.net
• a4.nstld.com
209.112.113.33 •
•
2001:500:7967::2:33 •
• f4.nstld.com
209.112.114.33 •
•
2620:74:19::33 •
• g4.nstld.com
69.36.145.33 •
•
2001:502:cbe4::33 •
• l4.nstld.com
209.112.113.33 •
•
2001:500:7967::2:33 •
So if you use certbot (from any internal machine), dns-01 + manual should always work.
Try
certbot certonly --manual -d rb.net -d *.rb.net
Perhaps that "Symantec Bluecoat Proxysg" doesn't support wildcard or there is another error. But you can create the CSR via Certbot.
1 Like
Thank you @JuergenAuer
we have installed certbot. But it gives following error. We choose standalone option,
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: xxxxx.cicn.rb.net
Type: connection
Detail: dns :: DNS problem: NXDOMAIN looking up A for
awdevirlppxy01.cicn.rb.net
To fix these errors, please make sure that your domain name wasentered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[root@ip-172-21-11-95 ~]# certbot certonly --manual^C
Is this
your domain name? That domain doesn't exist ( https://check-your-website.server-daten.de/?q=awdevirlppxy01.cicn.rb.net ):
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| awdevirlppxy01.cicn.rb.net | Name Error | yes | 1 | 0 | |
| www.awdevirlppxy01.cicn.rb.net | Name Error | yes | 1 | 0 |
If you use standalone, there must be an A- or AAAA record domain name -> ipv4 or ipv6 address.
I tried to create with rb,net as well. This domain exist.But gives same error.
Does standalone domain also need need entry in public DNS? I cant use private domain as standalone?
If not, rb.net is registered but still gives same error.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.