SSL Certificate within an university network (only can be reached if you are in the VPN)

Hello there,

I have a question. I am a student developer at an university and I have to set up an ERP-System on a Server within the network of out university. You can only reach it through the VPN, with which you connect to the network of the university. We are running an MS-Dynamics Server on the Server and I can set a redirection from http to https, so the website should be safe. Now, how do I order an certificate, as this is no public available website with a bought Domain Name, but a website within a specific network? I need this because some webbrowsers do not even give you the option to enter a website without a certificate, but we will have to ensure that every student is able to connect to the server once they are in the vpn.

Would be nice if anyone could help me out as I am a bloody beginner regarding ssl-certificates.

Kind regards!

My domain is: the IP of the VM/Server Instance (can't public this now)

I ran this command: X

It produced this output: X

My web server is (include version): X

The operating system my web server runs on is (include version): Windows Server 2022 21H2

My hosting provider, if applicable, is: X

I can login to a root shell on my machine (yes or no, or I don't know): Yeah, I guess

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): X

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): X

Is it a publicly available domain, but with a host not reachable from the world wide web? Of is even the domain name not public?

3 Likes

Rather the first instance. It is a domain (IP of our Server + / + Instance Name) the students will get. It is just not available via WWW, but via VPN Connection.

You can use dns-01 validation, then.

I hope your DNS provider has an API to update your txt records.

2 Likes

Hey,

if you have time, can you explain what that means?

You can validate your domain with Let's Encrypt by adding a TXT record on _acme-challenge.youdomainname.tld

It's the only verification method that works when your server is not publicly reachable (but your domain is a public one).

You need an API to update the record because you must do so every 60-90 days and it's strongly recommended you automate renewals.

2 Likes

Not quite clear if you do indeed have control of DNS for your domain, do you even have a domain?

Let's say for example your university has the internet domain myuni.ac.uk and you want your system to be hosted as dynamics.intranet.myuni.ac.uk and you want people to access it using https://dynamics.intranet.myuni.ac.uk.

For this to work you need to have enough access to the DNS control panel for the myuni.ac.uk domain so you can both create the named record (dynamics.intranet) for people to access your site, and for you to answer DNS challenges e.g. setting a TXT record such as _acme-challenge.dynamics.intranet in your DNS control panel with a specific value every time the cert needs renewed, which in turn proves you have some administrative control over the (public internet) domain.

If you can't do any of that, then you can't get a publicly trusted certificate from Let's Encrypt (because they require public verification of your domain).

I haven't tried it with Dynamics myself but assuming it's an IIS server, try https://cerifytheweb.com (which I develop) as you may find it useful/easier compared to some other methods of automatically renewing the cert.

3 Likes

I don't think that's established. One of these statements is not true, either this one:

or this one:

@WhiteOrb, an IP address isn't a domain name. You must be using a real domain name that you control in order to get a certificate from Let's Encrypt. If you are, and the host is not accessible from the public Internet, then as @9peppe says, you can get a cert using DNS validation. That will require you to create a DNS record when you issue the cert, and every time you renew the cert--which as a practical matter means that you'll need to be able to automate it.

5 Likes

yeah, but don't scare them. enough can be also

# in the intranet.myuni.ac.uk. zone
dynamics ttl in NS something
something ttl in A some_public_ip

# in the dynamics.intranet.myuni.ac.uk.
everything else.

Indeed.

2 Likes

Yeah, so you mean run the DNS server for dynamic subdomain so you don't have to regularly mess with the primary zone DNS.

Another option to remember is using CNAME redirection to a domain you control, so _acme-challenge.dynamics.intranet.myuni.ac.uk can point to some other domain or subdomain in DNS you control, then you can complete validation using that. There are also acme-dns type DNS challenge delegation options.

4 Likes

Yeah sorry, that is a language barrier for me. I don't have a Domain as such, I just have an IP-Adress with a "Path Direction" -> example: 192.123.291.89.1/Server_0 (Just an example) from which students, who are in the network of our university, can access the system.

Btw thank you all for your active and quick replys! Really appreciate it!

Ok, you can't get a public certificate for an (internal) IP address.

You can use a self signed certificate (users would have to accept it) or you can use a real hostname on a real internet domain.

3 Likes

I see.. So what would be the solution? Is it possible to get a Domain (+ Certificate then) for this but also let it stay in the university network so that only students can access it? That would be the DNS thing, right?

It's not something you should do without understanding it fully.

I don't really understand why you need TLS inside an already encrypted VPN.

1 Like

I stated it before, because a website in some browsers can not be opened, if you do not have a certificate. So the students are in VPN and can log into our erp-system from Microsoft via webbrowser. That is the whole point. But although, the protocol is set to https, without a certificate it is an "unsafe website" for some browsers.

Yes, but it doesn't matter. The encryption happens above this.

If you still want a certificate, get a domain (even a free one from duckdns.org, or better, some subdomain from your university) and use an acme client (certbot or acme.sh come to mind) with the appropriate dns plugin to obtain your certificate.

(set the ipv4 for the domain, otherwise you'll have the certificate but nobody will be able to connect)

2 Likes

But it does, in that the users are going to see warnings about the lack of encryption. And if this is something for general student use, that's likely an unacceptable situation, even if the browsers are wrong.

5 Likes

That is exactly the point! And the reason why the university gave me the task to look after a solution for a certificate.

Well, the primary condition is to have a domain which is publicly available to the world wide web. I.e.: a query for a DNS resource record from anywhere in the world needs to produce a valid answer.

If that condition isn't met, all bets are off to begin with.

3 Likes

If the client system explicitly trust a university CA, then the university can issue you a cert for the IP.
If any client system won't trust a univeristy CA, then you must use a globally trusted CA [like LE].
And meet all the requirements to be issued a cert from that CA.

In this case, an IP (as a name) does not meet the minimum requirements.

2 Likes