SSL for split DNS

I volunteered to put together a website for a small, non-profit fan club. They had been using one host to deal with email for the domain (another freebie) and a separate one for the website. When I took over, I offered to deal with the email as well, but it was refused. So the DNS is split with email going one way and website the other. This means I can't use the free SSL Certificate normally offered by the host. For the past few years, I've been using ZeroSSL to generate a 90-day certificate for free and uploading the code for Certificate, Key and CA Bundle / Intermediate Certificate via Cpanel. Now ZeroSSL have stopped offering this option and want money!

I have been told LetsEncrypt will allow me to do this via a "DNS-01 challenge". I looked this up: letsencrypt.org/t/ssl-certificate-for-non-hosted-domain and am none the wiser.

I am after step-by-step instructions on how to do this. With ZeroSSL, I just added the domain name, verified the domain and it generated code. LetsEncrypt is completely impenetrable. I've searched YouTube and all sorts. My computer-boffin friend who provides the webspace for free also doesn't know how to do it.

My domain is: ZZ9.org
My web server is (include version): ?
The operating system my web server runs on is (include version): ?
My hosting provider, if applicable, is: 20i
I can login to a root shell on my machine (yes or no, or I don't know): don't know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Don't know what you mean.
I'm running php 8.1

1 Like

That's not necessary. Email and websites either use different DNS resource records (RR) (e.g. the "MX" RR for email, pointing to e.g. mx.example.com) or use different hostnames (e.g. smtp.example.com or imap.example.com for SMTP/IMAP respectively compared to www.example.com for the website).

If the hostname of the website is pointing to the server doing the webserving (which it usually does) and it is publicly reachable, then you should be able to get a certificate using the http-01 challenge.

I have not heard of the control panel named "Yes"?

That said, if you're on shared hosting (and don't have a VPS with root access), then you're often limited by what your hosting provider offers you. Maybe you could use CertSage? See CertSage ACME client (version 1.4.1) - easy webpage interface, optimized for cPanel, no commands to type, root not required for more info.

3 Likes

Ah, sorry, CPanel.

If you email person@example.com, it will go to whatever server is looking after the email and then gets forwarded to the recipient who might be at person@gmail.com. The person who looks after the email, also gifts them the domain registration.

If you visit example.com, you get the website which I look after via 20i. Looking back through old emails (May 2020), it seems that the email/domain name person was told to change/add DNS records in the following way:

example.com: A (IP address)
www.example.com: A (IP address)

And that is how web traffic comes to the site I set up.

I hope that makes sense. I set it up four years ago, then got on with the rest of my life and it's hard to remember what happened.

2 Likes

Tried that... doesn't seem to work? This was trying to acquire a staging certificate.

1 Like

Welcome to the Let's Encrypt Communityn @Volunteer! :slightly_smiling_face:

(As a side note, bravo! I can't believe that name wasn't already taken.)

Author of CertSage here. Yeah, several people including myself have run into that problem lately due to some changes Let's Encrypt made that elongated the timing a bit. Try the certsage.txt mentioned in this post and let me know what happens:

4 Likes

Thanks for your offer of help. I'm sorry, but I can't see the certsage.text mentioned in the post you linked to. Is it different to the one in the link provided by Osiris?

3 Likes

doh! :man_facepalming:

Wrong link. I'll fix now.

Edit:
I fixed the link.

(This is what happens when one is too many places at once.)

It contains a minor tweak to the v1.4.1 official release. I'm thinking of making it permanent as v1.4.2.

5 Likes

Thanks for that. I got success with the staging certificate, but when I tried the production certificate, I got the following TROUBLE:

Trouble...

urn:ietf:params:acme:error:unauthorized
185.151.30.165: Invalid response from http://www.zz9.org/.well-known/acme-challenge/fxxCPeoeg_iTSrOuipyCnyGr38hJKECIR2kde1Ga-_Y: 502

2 Likes

As a positive note, you absolutely can get a cert for mail.example.com if that's the mail subdomain pointed at a cPanel hosting instance for example.com.

2 Likes

Hmmm... let me take a look. :thinking:

2 Likes

It's generated a private key, but not the other two pieces of code.

Thanks for your help!

2 Likes

A 502 error usually means some kind of CDN that can't reach the origin webserver.

In the headers, I see the following:

x-provided-by: StackCDN

What's "StackCDN"?

2 Likes

I login to the the service via stackcp.com

1 Like

Which service exactly? And how does "StackCP" differ from the earlier mentioned cPanel?

2 Likes

This is kind of challenging my knowledge here. But the webhosting company is 20i. I go to stackcp.com, log in and get a list of my websites. I then click to manage those websites and it takes me to the cPanel for that site.

2 Likes

I concur, @Osiris.

@Volunteer

Your CDN (StackCDN) is configured to try to validate the backend certificate (SSL connection between your server and the CDN). Since that cert is expired, you're getting the 502. You'll need to "relax" that configuration to update your cert.

3 Likes

Okay... how do I do that?

EDIT: There is a "remove" button! That must be it!

Trying again...

2 Likes

Seems to be a good starting reference:

https://www.stackcp.com/services/b6a281ca222e41a2/service-overview

Looks like you can have StackCP generate the certs for you if you're using their nameservers?

https://www.stackcp.com/services/b6a281ca222e41a2/security/ssl-tls

Edit: Just reread your initial post. Split DNS. Gotcha. Hence why you're using CertSage.

3 Likes

CertSage will require your mail subdomain(s) to be pointed at your cPanel. Just a note. I think they are.

2 Likes

Any luck, @Volunteer?

2 Likes