-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACME with multiple certificates for a single domain #24731
Comments
I submitted a PR to add a domain option to resolve this. Unfortunately, there are still some a couple rough edges:
I don't think the latter is worth worrying about, but I'm curious if anyone has ideas for permissions on the challenge directory. My thought is that nginx can only reasonably serve a single directory for the challenge for a domain, and so the two options are
Am I missing a better solution? |
Thanks for your analysis and the PR. 👍 I've been sharing the main certificate between services by placing the service users in a new group. Regarding the challenge directory, I think your first suggestion makes a lot of sense. 👍 We have some more issues with our current ACME module. For instance, because we are using simp_le, we don't support dns-01 challenges yet. I've been thinking about replacing simp_le with dehydrated or acme.sh. Do you maybe have an opinion on that? This would mean a major refactoring of the module, though, and the certificates and keys will probably be placed in different files/directories. |
Pretty much all I know about ACME is what's in Nix; I saw that it was supported, and figured that was (almost) good enough for me. I'm intrigued and might be interested in taking a look at alternative clients, but it's not something I expect to do in the near future. |
Fixes NixOS#24731. (cherry picked from commit e3559c2) This is useful on servers like mine, which often prefer to stay on stable releases. Since there's no impact if you're not using the new option, this should be safe to pull in.
Fixes NixOS#24731. (cherry picked from commit e3559c2) This is useful on servers like mine, which often prefer to stay on stable releases. Since there's no impact if you're not using the new option, this should be safe to pull in.
Issue description
I'm currently running web, IMAP, SMTP, and XMPP servers for a single domain on the same host. All of them should support SSL, and I'm using letsencrypt/ACME via the (amazingly simple) NixOS integration.
Unfortunately, AFAICT, the current ACME infrastructure in NixOS only supports a single certificate per domain; the directory location and domain are tied to the same parameter (namely, the <name> in the security.acme.certs record). This would be suboptimal but reasonable, except that the services (rightfully) run as separate users, and all need to read the shared certificate. On 16.09, I could do this (hackily) by setting the user and group on the certificate; however, in 17.03 it appears that the nginx config sets the user to nginx's, thwarting my workaround.
So I'm looking at implementing this properly, with a different certificate for each service. It seems to me that adding an option to override the domain passed to cert_le would be a good fix; something like the following would work then:
It also seems plausible to me that something could be made to work by repeating example.com in security.acme.extraDomains for other domains, but that presumably requires those other domains to work as well, and seems extremely fragile.
Steps to reproduce
N/A; this is a feature request
Technical details
The text was updated successfully, but these errors were encountered: