I have a very old server running that were are phasing out, but I need to create a wildcard certificate for this domain that the server is hosting.
I don’t want to install anything new on the server as it is from 2010 and don’t want to touch it as we are phasing it out.
Is there a way for me to request a cert and simply add the files to the server so it can respond to any verification tests?
I can add/remove files, and update the nginx conf to point to the necessary files, but I can’t install any certbot tools as I am not sure it will even work as it is a very old server (Ubuntu 8.x)
If you are installing SSL on this server for the first time, you will likely need to compile OpenSSL and your web server from source, since the version of OpenSSL that ships with Ubuntu Hardy would not be compatible with a very large proportion of modern browsers.
To that end, it might be more useful to terminate SSL for this server from a different, more modern server. That would also solve your installation problem.
So, if you truly can't install any client, then that only leaves online verification methods and since it is a wildcard cert you seek, DNS authentication will be required.
You can try: https://www.sslforfree.com/
[I would always recommend that you generate your own private key offline]
Unless you have another system available to "assist", then you could do as @JuergenAuer suggests and use a separate system to generate the cert and then transfer it to this system.
[edit]
But as @_az points out, the ciphers and protocols supported by the existing OpenSSL (if it hasn't been manually updated/compiled recently) may not be compatible with any modern browser.
So, I would check that first.
Review the output of: openssl version openssl ciphers
OpenSSL 0.9.8g 19 Oct 2007
and DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5
So that will create the certificate, save it to the “other” server. I then make the txt for DNS validation. Once it is validated I can then copy the cert files to my “real” server?
Yes, this is very outdated - but you might be able to still get some use out of it...
If possible I would first try to update OpenSSL: apt update or apt-get update
then (using apt or apt-get - whichever worked) apt install openssl
or apt install openssl --update
[whichever works]
In any case, you might get some use (long enough to get you to the next system) out of using these ciphers: AES256-SHA:AES128-SHA
or (if needed) even these: AES256-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
I would highly recommend disabling all the rest ASAP.