Subdomain SSL Cert

Hi, I (student of university) am doing a Conference WebApp using flask-python for my university, They pointed a subdomain (conf . university . com) to an IP address of the cloud instance which im building the app on.
Can I / Should I get CertBot running on my cloud instance to get the SSL certificates ??
Or does the university have to get certificates for the subdomain (which takes a lot if time)?

Thank You

2 Likes

In theory, that should be possible, yes.

4 Likes

Hi @rahulmoh, welcome to the LE community forum :slight_smile:

It depends on how much control you have on that cloud instance.
If you can install an ACME client, then you should be able to easily get a cert for it.
If you can't install an ACME client, then might still be able to get a cert if the instance runs PHP.

All that said, there may be other controls that might prevent LE from issuing a cert to that "university" domain. If you provide the actual FQDN, we should be able to confirm if there are any controls in place.

3 Likes

FDQN: chat.waspaa.com

i actually tried gettin it but failed by 404s

Im running Ubuntu 20.04 on AWS EC2 and i did the following

  1. Allowed Ports 80 and 443 on the AWS as well as ufw allow full nginx.
    2.Installed nginx and certbot with the apt command
    3.sudo certbot --nginx chat.waspaa.com (and)
    3.sudo certbot --nginx -w /var/www/html -d chat.waspaa.com (and)
    4.sudo certbot --nginx --agree-tos --preferred-challenges http -d chat.waspaa.com (and)
    5 sudo certbot --nginx --nginx-sleep-seconds 20 -w /var/www/html -d chat.waspaa.com

i get

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: chat.waspaa.com
  Type:   unauthorized
  Detail: Invalid response from http://chat.waspaa.com/.well-known/acme-challenge/JAfzmv1TC3X95q-itAVxyubuzk4hZ_p35NdB5G4pgDU [162.241.217.240]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"


Uploading the log file
letsencrypt.log.txt (371.4 KB)

Thank you :slight_smile:

edit: could there be something wrong with the way Uni forwarded the Subdomain ???
or Should i let the Uni create the SSL certs for the domain?

1 Like

In order to use -w, you must first state --webroot
So that should be:
sudo certbot --nginx --webroot -w /var/www/html -d chat.waspaa.com

You might want to try that before we continue.
If it should fail, then I would:

  1. confirm the external IP matches the IP found in DNS with:
    curl -4 ifconfig.co
    Name: chat.waspaa.com
    Address: 162.241.217.240
  2. confirm the --webroot used matches the one being used by nginx with:
    sudo nginx -T
    /var/www/html
3 Likes

Nope, this gives me the address of the main domain waspaa.com, but i just saw the nginx index.html i hosted, does that means they are only forwading packets of port 80 to my ip address?? is that even possible? :face_with_raised_eyebrow:

Those are mostly questions only your school IT can answer.

2 Likes

I see your page too.
But I don't think they are "forwarding" it as you would expect.
I think they are "proxying" it to your system.

curl -Iki http://chat.waspaa.com/
HTTP/1.1 200 OK
Date: Wed, 29 Sep 2021 21:07:47 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 28 Sep 2021 06:23:18 GMT
Accept-Ranges: bytes
Content-Length: 620
Vary: Accept-Encoding
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
Content-Type: text/html

You claim to be using nginx - that shows an Apache responding.

2 Likes

My AWS server is offline, I think we see apache because they are using it to show an embedded iFrame to proxy to my_aws_ip because when I check the source for the page it shows.

  <iframe src="http://my_aws_IP/"></iframe>

edit: Thank You! Helps much appreciated. I Will take it up with the Uni IT team.

1 Like

You really shouldn't be using iFrames.

  1. LE can't validate your site that way.
  2. It would be a false sense of encryption.
    [HTTPS to a site that uses an HTTP iFrame]
3 Likes

Wouldn't that trigger an active mixed content error?

Anyway, I agree, those iframe things are a thing of the past (1990 or so..) and should not be used any longer.

2 Likes

Wouldn't that imply that they are using something somewhat modern?
[contradicts the use of iFrame doesn't it?]
And not all connections are always from smart systems/programs.

2 Likes

The uni team is gonna get me the subdomain certs from their side.

I have passed down the information. I hope they rectify

They should just update the DNS entry to your IP.
[not their IP and then iframe to your IP]

1 Like

Thats what my noob-ass thought would happen, I don't know why the Uni IT team are doing this.

Control.
That is usually the root cause of such stupidity - it's all about control.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.