How to create SSL certificate for vanity URL/CNAME with CA LetsCrypt.org (for Custom URLs module)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2022 02:09 PM
(Edit: This question is for Custom URLs but I figured that was implied since I mention CNAME and Vanity URL.)
ServiceNow has documentation for generating a server SSL certificates for ServiceNow. You can find that link here:
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/general/task/t_GenerateAServerCertificate.html
I'm on Step 3, which is signing the certificate after you create your CSR file. The CA provider must take the CSR, verify, create and sign the cert and then send you the signed cert file. As I understand it, LetsCrypt.org is the exclusive CA for ServiceNow. ServiceNow also manages renewal of the certs, as they renew every 3 months, which is the TTL for LetsCrypt.org certs. So, it only makes sense then LetsCrypt.org should be the CA for initial cert creation, no?
Anyway, I've run into a road block. I'm having trouble with trying to create and sign the cert with LetsCrypt.org. The SSL cert I'm creating is a CNAME URL/vanity URL for the ServiceNow instance. Let's pretend the URL is: www.example-dev.com. www.example-dev.com is currently pointing to the ServiceNow instance. Now I need a cert for it. I'm following the guidelines over at LetsCrypt.org for this step:
https://letsencrypt.org/getting-started/
From what understand, there are two ways to sign the cert: With shell access and without shell access. Without shell access, it's up to the hosting provider. If the hosting provider doesn't support direct integration with LetsCrypt--and I don't see ServiceNow on the list--it can be done manually by installing Certbot an equivalent ACME client and run in manual mode, uploading a file to the hosting provider, and LetsCrypt will verify that way that you have control of the website hosted by the provider. I don't believe this step is possible with ServiceNow but I suppose I could be wrong. Manual mode also supports adding a special DNS entry to the website and verifying that way. Maybe ServiceNow Support could add support this, I'm not sure.
That leaves me with using shell access. With shell access, I download and install Certbot or an equivalent ACME client to facilitate creation and signing of the SSL cert. The problem is Certbot needs to be installed on the server to which the vanity URL/CNAME URL points. Manual mode, which I highlighted above, would be a way around creating and signing a cert for a website on a different server but the same issues I discussed earlier apply. So, I'm kind-of at a loss here.
For ServiceNow Vanity URLs/CNAME URLs, can you create a cert with a CA other than LetsCrypt.org? If so, how do renewal works? Would ServiceNow still manage renewals of the cert?
Or, if you create the cert with LetsCrypt.org as the CA, given the challenges I described earlier, how precisely do I go about doing that? Should I reassign the vanity URL/CNAME URL to a local server where CertBot is installed, create and sign the cert, and then reassign the vanity URL/CNAME URL back to the ServiceNow instance?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2022 09:47 AM
Goods news everyone! I found the answer. Not from a KB article or documentation but another Community thread:
https://community.servicenow.com/community?id=community_article&sys_id=933ab776dbac8c5c2be0a851ca9619c0
ServiceNow automatically creates the SSL cert for Custom URLs with LetsCrypt.org, their exclusive CA partner. No need to create your own cert and upload it to the instance.
(Why ServiceNow doesn't have documentation or a KB article on cert creation for Custom URLs is beyond me. If I'm wrong, I'd be happy to be corrected but I couldn't find anything. Even ServiceNow Support was having trouble helping me with this one. Good thing we have this great ServiceNow Community.)
In fact, you shouldn't. ServiceNow, as of this writing, does not accept a cert from anybody but LetsCrypt.org for Custom URLs. And it makes little sense to create your own LetsCrypt.org cert and upload it to the instance. I'm not even sure Custom URLs would recognize it or if it would cause a conflict. The cert may be auto-generated by workflow or perhaps someone at ServiceNow sees the ticket come in to create a cert for a Custom URL and kicks it off.
The documentation for creating and uploading a cert to the instance is applicable for things other than a CNAME/Vanity URL for your ServiceNow instance (read: Custom URLs module) such as: LDAP servers, MID servers, outbound calls from SNOW with mutual auth, web services. Client-side SSL certs you may be able to throw in there, too.
With regards to CAA, remember CNAME and CAA do not mix. If you have CNAME www.sub.example.com which points to www.example.com, the CAA record can be on www.example.com, example.com, or sub.example.com, but not www.sub.example.com. I'm not sure if ServiceNow creates CAA records as needed but if you have a CAA record on your domain, you'll need to ensure LetsCrypt.org is included such that ServiceNow can create the cert on your behalf. The CAA use case is not applicable to me, so I can't say from personal experience if CAA and ServiceNow play nicely, regardless if the domain is a CNAME record or otherwise.
The main takeaway here is ServiceNow creates the cert on your behalf for Custom URLs. You do not need to do anything for certs. Just ensure the CNAME record is setup properly and the rest should take care of itself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2022 11:14 AM
There is a KB article here:
https://support.servicenow.com/kb?id=kb_article_view&sys_kb_id=eb403881db0034d016d2a345ca961907
However, to my eyes, I don't see any language which explicitly tells you, the customer, that the cert is created by ServiceNow when you create the Custom URL record:
"
...
8. ServiceNow uses a certificate from LetsEncrypt for custom URL configuration.
a. So, if you already have a CAA for the URL with another provider eg. VeriSign, then you will need to update it to include LetsEncrypt.org (as ServiceNow currently only supports CAA with LetsEncrypt.org)
b. If you do not have a CAA from another provider then you do not need a LetsEncrypt certificate as ServiceNow takes care of it while configuring the custom URL.
9. The certificate which will be used by ServiceNow for custom URL will reference FQDN (Fully Qualified Domain Name) not a wildcard.
"
You might read it as ServiceNow creates the cert for you. Others, like myself, could take it as you have to create your own LetsCrypt.org cert and upload it to the instance. It's not spelled out. If anyone at ServiceNow is reading this post, I would suggest to please update the KB article to explicitly spell out that ServiceNow creates the LetsCrypt.org cert on your behalf when you create a Custom URL record.
