I’ve read as much documentation as I can find on this, but I must be missing something.
I’ve configured a custom domain and am trying to add an SSL certificate. Self-signed certs are not allowed by Okta for this. But getting a cert from Let’sEncrypt, etc., requires that I validate ownership of the domain infrastructure by, for example, dropping a file onto the web server so Let’sEncrypt can see that I can make changes to the domain. But I do not own the infrustructure in this case - Okta does. How do I allow Let’sEncrypt to perform validation so I can upload a proper certificate?
Let’sEncrypt is not recommended for a hosting provider that does not support the ACME protocol. Specifically,
We don’t recommend using Let’s Encrypt certificates on hosting providers that don’t directly implement the ACME protocol, because it means you can’t fully automate renewals. We think automated renewals are a very important part of using certificates. Using software to automate renewal makes it much less likely that your certificate will expire without being replaced. If your certificate expires, it’s very frustrating for your users because they can’t access your site.
That said, Let’sEncrypt should also support DNS name verification, which you can accomplish without needing Okta to host any files for you. See here for more info: https://letsencrypt.org/docs/challenge-types/
PS: Submit an Ideas request to Okta’s roadmap for them to support the ACME protocol for automated certificate renewals.
That was it - Thank you.
For googlers, see the feature request for automatic updates here. Be forewarned, currently with LetsEncrypt the certificates will expire every 90 days and you’ll have to change a text record in your DNS on every update since Okta doesn’t support ACME (yet, hopefully)…