让我们在子域上加密SSL证书

Question

I developed an application for a client which I host on a subdomain, now the problem is that I don't own the main domain/website. They've added a DNS record to point to the IP on which I host that app. Now I want to request a Free & automatic certificate from Let's Encrypt. But when I try the handshake it says

Getting challenge for subdomain.example.com from acme-server...
Error: http://subdomain.example.com/.well-known/acme-challenge/letsencrypt_**** is not reachable. Aborting the script.
dig output for subdomain.example.com:subdomain.example.com
Please make sure /.well-known alias is setup in WWW server.

Which makes sense cause I don't own that domain on my server. But if I try to generate it without the main domain I get:

You must include your main domain: example.com.

Cannot Execute Your Request

Details

Must include your domain example.com in the LetsEncrypt entries.

So I'm curious on how I can just set up a certificate without owning the main domain. I tried googling the issue but I couldn't find any relevant results. Any help would be much appreciated.

Answer 1

First

You don't need to own the domain, you just need to be able to copy a file to the location serving that domain. (You're all set there it sounds like)

Second

What tool are you using? The error message you gave makes me think the client is misconfigured. The challenge name is usually something like https://example.com/.well-known/acme-challenge/jQqx6qlM8u3wpi88N6lwvFd7SA07oK468mB1x4YIk1g . Compare that to your error:

    Error: http://example.com/.well-known/acme-challenge/letsencrypt_example.com is not reachable. Aborting the script.

Third

I'm the author of Greenlock , which is compatible with Let's Encrypt. I'm confident that it will work for you.

Install

# Feel free to read the source first
curl -fsS https://get.greenlock.app/ | bash

Usage with existing webserver :

Let's say that:

• You're using Apache or Nginx.
• You confirm that ping example.com gives the IP of your server
• You're exposing http on port 80 (otherwise verification will fail)
• Your website is located in /srv/www/example.com
• Your email is jon@example.com (must be a real email address)
• You want to store your certificate as /etc/acme/live/example.com/fullchain.pem

This is what the command would look like:

sudo greenlock certonly --webroot \
  --acme-version draft-11 --acme-url https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos --email jon@example.com --domains example.com \
  --community-member \
  --root /srv/www/example.com \
  --config-dir /etc/acme

If that doesn't work on the first try then change out --acme-url https://acme-v02.api.letsencrypt.org/directory for --acme-url https://acme-staging-v02.api.letsencrypt.org/directory while you debug. Otherwise your server could become blocked from Let's Encrypt for too many bad requests. Just know that you'll have to delete the certificates from the staging environment and retry with the production url since the tool cannot tell which certificates are "production" and which ones are "testing".

The --community-member flag is optional, but will provide me with analytics and allow me to contact you about important or mandatory changes as well as other relevant updates.

After you get the success message you can then use those certificates in your webserver config and restart it.

That will work as a cron job as well. You could run it daily and it will only renew the certificate after about 75 days. You could also put a cron job to send the "update configuration" signal to your webserver (normally HUP or USR1) every few days to cause it to start using the new certificates without even restarting (...or just have it restart).

Usage without a web server

If you just want to quickly test without even having a webserver running, this will do it for you:

sudo greenlock certonly --standalone \
  --acme-version draft-11 --acme-url https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos --email jon@example.com --domains example.com \
  --community-member \
  --config-dir /etc/acme/

That runs expecting that you DO NOT have a webserver running on port 80, as it will start one temporarily just for the purpose of the certificate.

sudo is required for using port 80 and for writing to root and httpd-owned directories (like /etc and /srv/www). You can run the command as your webserver's user instead if that has the correct permissions.

Use Greenlock as your webserver

We're working on an option to bypass the middleman altogether and simply use greenlock as your webserver, which would probably work great for simple vhosting like it sounds like you're doing. Let me know if that's interesting to you and I'll make sure to update you about it.

Fourth

Let's Encrypt also has an official client called certbot which will likely work just as well, perhaps better, but back in the early days it was easier for me to build my own than to use theirs due to issues which they have long since fixed.

Answer 2

Whats important is the sub domains A record. It should be the IP Address of from where you are trying to request the sub domains certificate.