Sub-domain validation


#1

Hi,

I am new to Let’s Encrypt and am considering using it for a project where I would have to issue certificate for specific sub-domain without having direct access to the top-level domain DNS servers themselves.

So per example, I would want to issue a certificate for test.example.com and I could pass a challenge for a file hosted on test.example.com but not example.com (because another team controls the top-level).

Question is, does the ACME protocol allow for validation to be done on the sub-domain for which the certificate was requested or is it always done from the top-level domain no matter what?

Thanks,

F.


#2

I believe all validations are done on the exact/complete FQDN(s) requested - not on the base domain.


#3

Yes, validations are all performed on the specific domain requested. The only reason you would not be able to receive a certificate for a subdomain is if a higher level domain has a CAA record prohibiting Let’s Encrypt from issuing certificates for that domain.


#4

Great, thanks for confirming!


#5

I think @jsha also said that, somewhat counterintuitively in terms of what we might expect from DNS hierarchy, you are allowed to override that CAA record with a more-specific CAA record permitting the issuance.


#6

Yep, although this is unlikely to affect the original poster. :slight_smile: Details at https://letsencrypt.org/docs/caa/ for whoever is interested.


Problems-with-python-virtual-environment
#7

That’s actually very useful to know especially the part about the sub-domain CAA overriding the top-level CAA, this could come in useful! Thanks for the link to the documentation.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.