I have a question. I am a student developer at an university and I have to set up an ERP-System on a Server within the network of out university. You can only reach it through the VPN, with which you connect to the network of the university. We are running an MS-Dynamics Server on the Server and I can set a redirection from http to https, so the website should be safe. Now, how do I order an certificate, as this is no public available website with a bought Domain Name, but a website within a specific network? I need this because some webbrowsers do not even give you the option to enter a website without a certificate, but we will have to ensure that every student is able to connect to the server once they are in the vpn.
Would be nice if anyone could help me out as I am a bloody beginner regarding ssl-certificates.
My domain is: the IP of the VM/Server Instance (can't public this now)
I ran this command: X
It produced this output: X
My web server is (include version): X
The operating system my web server runs on is (include version): Windows Server 2022 21H2
My hosting provider, if applicable, is: X
I can login to a root shell on my machine (yes or no, or I don't know): Yeah, I guess
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): X
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): X
Not quite clear if you do indeed have control of DNS for your domain, do you even have a domain?
Let's say for example your university has the internet domain myuni.ac.uk and you want your system to be hosted as dynamics.intranet.myuni.ac.uk and you want people to access it using https://dynamics.intranet.myuni.ac.uk.
For this to work you need to have enough access to the DNS control panel for the myuni.ac.uk domain so you can both create the named record (dynamics.intranet) for people to access your site, and for you to answer DNS challenges e.g. setting a TXT record such as _acme-challenge.dynamics.intranet in your DNS control panel with a specific value every time the cert needs renewed, which in turn proves you have some administrative control over the (public internet) domain.
If you can't do any of that, then you can't get a publicly trusted certificate from Let's Encrypt (because they require public verification of your domain).
I haven't tried it with Dynamics myself but assuming it's an IIS server, try https://cerifytheweb.com (which I develop) as you may find it useful/easier compared to some other methods of automatically renewing the cert.
I don't think that's established. One of these statements is not true, either this one:
or this one:
@WhiteOrb, an IP address isn't a domain name. You must be using a real domain name that you control in order to get a certificate from Let's Encrypt. If you are, and the host is not accessible from the public Internet, then as @9peppe says, you can get a cert using DNS validation. That will require you to create a DNS record when you issue the cert, and every time you renew the cert--which as a practical matter means that you'll need to be able to automate it.
Yeah, so you mean run the DNS server for dynamic subdomain so you don't have to regularly mess with the primary zone DNS.
Another option to remember is using CNAME redirection to a domain you control, so _acme-challenge.dynamics.intranet.myuni.ac.uk can point to some other domain or subdomain in DNS you control, then you can complete validation using that. There are also acme-dns type DNS challenge delegation options.
Yeah sorry, that is a language barrier for me. I don't have a Domain as such, I just have an IP-Adress with a "Path Direction" -> example: 192.123.291.89.1/Server_0 (Just an example) from which students, who are in the network of our university, can access the system.
Btw thank you all for your active and quick replys! Really appreciate it!
I see.. So what would be the solution? Is it possible to get a Domain (+ Certificate then) for this but also let it stay in the university network so that only students can access it? That would be the DNS thing, right?
I stated it before, because a website in some browsers can not be opened, if you do not have a certificate. So the students are in VPN and can log into our erp-system from Microsoft via webbrowser. That is the whole point. But although, the protocol is set to https, without a certificate it is an "unsafe website" for some browsers.
Yes, but it doesn't matter. The encryption happens above this.
If you still want a certificate, get a domain (even a free one from duckdns.org, or better, some subdomain from your university) and use an acme client (certbot or acme.sh come to mind) with the appropriate dns plugin to obtain your certificate.
(set the ipv4 for the domain, otherwise you'll have the certificate but nobody will be able to connect)
But it does, in that the users are going to see warnings about the lack of encryption. And if this is something for general student use, that's likely an unacceptable situation, even if the browsers are wrong.
If the client system explicitly trust a university CA, then the university can issue you a cert for the IP.
If any client system won't trust a univeristy CA, then you must use a globally trusted CA [like LE].
And meet all the requirements to be issued a cert from that CA.
In this case, an IP (as a name) does not meet the minimum requirements.