Ĩesky | english
I cannot add my domain name to CAcert but I want a Server Cert
If you're running a server without it's own FQDN (Full Qualified Domain Name) you will run into problems when creating a Server Cert as you cannot add the domain to the CAcert domain system. See below for some possible solutions.
There might be other solutions as well that have been discussed on the support mailinglist. If you know more details please add them here.
How the ping test works
Additional notes can be found under CPS 4.2.2 Verifying Control - Domain Control
My Server is reachable via its IP address
The easiest solution is to register with one of the dynamic DNS Services, such as http://DtDNS.net, then add your dynamic DNS host name to CAcert and receive emails on root@yourDynName. You don't need to have a second-level domain name to use cacert.org, so just add the 'highest' domain that you control to cacert.org, which could be yourserver.dtdns.net.
If you want certs for multiple computers that all have a dynamic dns domain, then you would have to add each server separately, which requires a probe email to be sent to each server, but you could just point the MX record in the DNS of each server to the same mail server, so that mail for each server is handled by the same mail server. Not as easy as owning a domain, but it should work. Of course, if you use many servers via dynamic dns, you probably would be better off by getting a domain name.
There is no way to register a certificate for an IP address, only for domain names. This is because we cannot warranty that IP won't change.
My Server is a local Server with an FQDN / DynDNS Name
If you're using a FQDN (Full Qualified Domain Name) for you local server, maybe you can temporarily modify your DNS to let this FQDN point to a mail server that accepts the mail probe. Once you verified that you own this domain you can remove this DNS entry again. Please allow up to 24 hours to expire DNS caches.
If you decide to use a DynDNS name instead of something.local basically do the same: Let it temporarily point to an accepting mail server and change it to something like 127.0.0.1 afterwards. Use the DynDNS name internally as you would have used the something.local DNS name.
Question: I receive an error message "CSRF Hash is missing. Please try again." Answer: You've probably had a long delay between starting your domain-add request and submitting the selected recipients address. As said: try adding domain again.
My Server is a local Server with a .local domain
I need certificates for my machine for local development. The machine doesn't have a full qualified domain name. How do I get a certificate that my web server will accept?
You only need to verify that you own every domain or sub-domain you want to use with CAcert. As .local will never resolve externally you cannot verify it and therefore you cannot create a certificate for it.
A solution is to either use a self-signed certificate or change the .local name to a DynDNS name. It's not necessary that this DynDNS name is reachable from the outside world. See the section above for more details.
Usage of .local domains is an old customs that conflicts with as many definitions. Use the alternate solution local.yourdomain.tld instead so that yourdomain.tld is verifiable and local.yourdomain.tld is the local part.
My Mail server uses Greylisting to Filter SPAM
Whitelist the CAcert mail server *.cacert.org or everything coming from @cacert.org. Greylisting interferes with the current CAcert email probe system since the probes don't try to resend the message, and greylisting requires this. Manually retrying the probe seems to work in many cases, however whitelisting is the most reliable solution.
There might be more details about that on FAQ/Registration ...
I'm not running a Mail server on my Domain
Currently there is only one way to verify that you own a domain name: CAcert sends a verification email to a certain email address and your follow the instructions you'll receive in this email.
If you don't have an email server running, you have the following options
- temporally install a mail server
- temporally change your DNS entry to point to an IP address with a mail server installed (if you ask very friendly on the support mailinglist you might find someone who is willing modify his/her mail server to receive this email for you)
As this is a common problem there are plans about "Other Domain Verification Methods" (see below) but don't expect this to be implemented soon.
Could I run a SubRoot CA for all our local machines?
No. See SubRoot for solutions and workarounds.
Other Domain Verification Methods
See p20090105.1. Basically it is now policy to check 2 different things, and there should be many different methods. This will be / should be reflected in CPS and code. However there is little or no implementation of this.
Historically, Duane wrote, 2005-02-17:
On numerous occasions people have had trouble registering domains (especially on dynamic dns hosts) because they aren't able to receive email on those domains, out of current discussions on the netscape newsgroups one person suggested that perhaps a better way to verify domain ownerships was to get a website to put a small piece of html code on the website, such as a protected by CAcert logo, and then get the CA to either visually inspect the logo exists on the website or screen scrape the page for the html code. Can anyone think of any reasons this would be a worse idea then the current email pings?
This sounds similar to the way Google Analytics verifies domain ownership. Nothing has been implemented yet. You may want to have a look at the discussion on the mailinglist. If possible, please contribute example code for this.