3

I have developed my DRF back-end API locally, deployed it on an AWS Lightsail instance (with a public static IP) and I now want to secure it with HTTPS.

I understand that in order to use Let's Encrypt (and not pay for an SSL certificate), I have to have a domain name associated to my instance IP since Let's Encrypt doesn't provide certificates for public IPs. As this is my back-end API (and not just a website), I don't intend to buy a domain specifically for this.

  1. Can I, somehow, associate my Lightsail IP with another domain that I've already purchased (and is used to host my company's landing page)? If yes, will there be any impact on my API's performance?

  2. Is there any other alternative to obtain an SSL? (Apart from paying another CA to issue this for my public IP?)

schroeder
  • 123,438
  • 55
  • 284
  • 319
kingJulian
  • 177
  • 1
  • 9
  • And you don't want to use the AWS API Gateway? – schroeder Aug 31 '20 at 15:43
  • To be frank, I'm not familiar with AWS API Gateway and it seems to much of a hassle to use it at this stage of my dev process. Isn't there any other way? – kingJulian Aug 31 '20 at 15:58
  • Well, the short answer is "no" you do not need to associate your API with a domain name. Lots of services provide TLS for APIs, like API Gateway. But the way you've designed it, and deployed it, you've painted yourself into a corner. You are bolting on encryption as a last stage and didn't include it as part of the spec at the start. – schroeder Aug 31 '20 at 16:08
  • So, your question *really* is, how can I get TLS for this website (that happens to only provide an API) that I don't want to get a domain for? – schroeder Aug 31 '20 at 16:10
  • Well, my question is *also*, can I use the domain I've already purchased and associate it with my API? – kingJulian Aug 31 '20 at 16:13
  • How would you route the right traffic to the correct IP? That part of your question is a DNS question, not a security question. – schroeder Aug 31 '20 at 16:16

1 Answers1

7

It seems that it's not possible obtain a certificate from Lets Encrypt for a public IP address, without a domain name. See https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082.

Notwithstanding, are you sure you really want to ask users of your API to access it by its public IP? If you ever need to move your API to a different server, this will require all of the users of your API to change their systems that call your API, to replace the old IP with the new one. This will undoubtedly frustrate your users, and it will cause the migration to take much longer. Using a FQDN (e.g. api.yourdomain.tld) will make this process much more agile if you ever have to change servers - just update the A record of your FQDN, and your're done with it - without your users having to do anything. And, you can get a cert from LE.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Can I associate the domain I've already purchased with my API or do I have to buy a new one? – kingJulian Aug 31 '20 at 16:15
  • @kingJulian You can use a domain that you already own. You can create a hostname, such as api.yourdomain.com, that you can then point to the IP address of the server that is running your API. – mti2935 Aug 31 '20 at 16:25
  • @mti2935 even if already assigned to an active website? – schroeder Aug 31 '20 at 16:25
  • 2
    @schroeder yes. He can create many hostnames (also called 'subdomains'), that each point to different servers. For example, databaseserver.yourdomain.com, vpnserver.yourdomain.com, smtpserver.yourdomain.com, etc. His DNS provider should allow him to create new hostnames as needed, and create A records for each one pointing to the IP address of each server. – mti2935 Aug 31 '20 at 16:30
  • Cool. So I can add a hostname for my API in my already purchased domain name. Thanks! – kingJulian Aug 31 '20 at 16:43
  • 2
    I don't even know how deep the sub domain tree goes for domain names owned by the company I work for. We own (probably) hundreds of root domains, and most have dozens of sub domains with a few more "levels" deep, each having its own dozens. It's turtles all the way down! – Conor Mancone Aug 31 '20 at 23:34
  • 1
    @kingJulian The important note here is use a subdomain, not your root domain. You can use the domain you own, but don't just point root to your API endpoint as you'll take down your live site. Sorry if this seems obvious, but it didn't seem to be made obvious in the prior discussion. – TCooper Sep 01 '20 at 01:07
  • Thank you @ConorMancone and TCooper for your answers. So I can create as many sub-domains (which in turn they can contain nested levels too) as I want and all of them will share the root domain's certificate. – kingJulian Sep 02 '20 at 14:41
  • 2
    @kingJulian Oh, that's a different matter. Typically each sub domain will have its own certificate. Technically you can get a wild card domain (that will allow sub domains to share a certificate), but that has its own downsides and challenges. However this isn't usually a practical issue because you can get let's encrypt certificates for sub domains, and doing so is free and (normally) automated. Therefore you just register the root domain, create as many sub domains (and sub-sub domains) as you want (a process which is also free), and then just get a let's encrypt cert for each sub domain – Conor Mancone Sep 02 '20 at 14:56
  • Got it, thanks! The subdomains can be of the following format, right: .subdomain.com? – kingJulian Sep 02 '20 at 14:59