Very Newbie- can I use Let'sEncrypt for this?

Hi

I run a Web Server based media-archive on an internal network at an educational institution. Users access it on a web browser via simple http://172.28.xx.xx IP address and LDAP/AD controlled access list.

Turns out user passwords are being transmitted in the clear so I have to implement https:// Totally fair.

The web server is but into the MAM system (Apache based ) and supports https:// . I can activate it with following controls/fields which are part of the MAM system server configuration panel.

I've looked around the LE tutorials, documentation etc and can see how Certbot works, but everything seems to suggest that the web server is behind a domain. Mine is just an IP address on a private network. Admittedly to get to the private network I have to log into a VPN from a domain based ( ie. institution_name.edu) authentication service to reach the web server.

My question is whether I can actually use LE is this scenario, and if so do you have any tips on how to proceed?

I'd really appreciate any guidance ... I've never dealt with encryption certificates before ... obviously!

Thanks in advance

lee

My web server is (include version):

Proprietary based on Apache.

The operating system my web server runs on is (include version):

Mac OS 11.6.1 Big Sur

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site

Yes. Proprietary for the MAM system

1 Like

If users access the site via IP only, you can still add a certificate, you can't use a Let's Encrypt certificate. Let's Encrypt only offers certificates for publicly registered domain names.

You might check whether the MAM software has the ability to generate what is known as a "self-signed" certificate. You could also generate one yourself (plenty of tutorials online). This would solve the immediate problem of credentials being passed in the clear and doesn't require anything outside of your server. The caveat is that users connecting to the site would have to click through a warning about the certificate being untrusted when they first connect.

A step beyond self-signed would be a school-run internal certificate authority that could potentially generate a cert for your server's IP. If such a thing exists in your environment, it would theoretically solve the certificate warning issues for users within your school.

6 Likes

You can only get a Let's Encrypt certificate for domain names in the public DNS. The website itself doesn't need to be public, but the domain name must be.

Not for IP address (even though some other CA does -- for public IP addresses, not private subnets.)

5 Likes

This maybe could work:

Create a new subdomain name (e.g., media.institution_name.edu) and point it to the private IP 172.28.x.x. Users will then use that subdomain to reach your web server. Of course, that IP only works inside your local network even though the domain name is in the public space.

Use DNS Challenge to get a cert for that subdomain. This requires ability for you (or IT) to update the DNS records for your institution_name.edu. There is a manual method but ideally would use a DNS service provider that supports an API for updating TXT records.

Use that cert in your media web server. Let's Encrypt certs for Apache are usually two files - a "fullchain" file which is the cert and its intermediates and a file for the private key. I don't see how those are setup on your example screen so you need to do some research.

There may be a problem I don't anticipate and perhaps a bit clumsy for someone who describes themselves as "very newbie". But, ...

8 Likes

If this is a regular sized .edu, the IT department should be able to engineer a working solution for you.

7 Likes

Thank you all so much for clarifying things! I appreciate your time.

These answers will be most valuable as I navigate communication with others who will hopefully help me!

3 Likes