New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple domains via SNI #8

Open
TheChief79 opened this Issue Apr 20, 2017 · 9 comments

Comments

Projects
None yet
4 participants
@TheChief79

TheChief79 commented Apr 20, 2017

Does your script support multilpe domains (SNI) like descreibed here?

https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS

@maxxer

This comment has been minimized.

Show comment
Hide comment
@maxxer

maxxer Apr 20, 2017

Member

I have to do some tests

Member

maxxer commented Apr 20, 2017

I have to do some tests

@gnat42

This comment has been minimized.

Show comment
Hide comment
@gnat42

gnat42 Sep 29, 2017

Today I attempted to pass multiple domains -d sub.domain1.com -d sub2.domain1.com - it does not support this, taking the last domain name. Which caused zimbra to stop functioning since ldap didn't match the new cert.

gnat42 commented Sep 29, 2017

Today I attempted to pass multiple domains -d sub.domain1.com -d sub2.domain1.com - it does not support this, taking the last domain name. Which caused zimbra to stop functioning since ldap didn't match the new cert.

@maxxer

This comment has been minimized.

Show comment
Hide comment
@maxxer

maxxer Oct 1, 2017

Member

Do you guys know if the steps in the wiki page above works even for single domain? If so I could convert the script to use savecrt/deploycrts, and then handle multiple -d options

Member

maxxer commented Oct 1, 2017

Do you guys know if the steps in the wiki page above works even for single domain? If so I could convert the script to use savecrt/deploycrts, and then handle multiple -d options

@maxxer maxxer self-assigned this Oct 1, 2017

@gnat42

This comment has been minimized.

Show comment
Hide comment
@gnat42

gnat42 Oct 2, 2017

Mostly - I've not been able to get the patch to work so that nginx answers the .well-known directory. Otherwise the rest works (minus multiple domains).

gnat42 commented Oct 2, 2017

Mostly - I've not been able to get the patch to work so that nginx answers the .well-known directory. Otherwise the rest works (minus multiple domains).

@lcaflc

This comment has been minimized.

Show comment
Hide comment
@lcaflc

lcaflc Oct 2, 2017

Hi, in response to patch #26, you don't have to use mutliple -d options to the certbot/let'sencrypt tool.
You can use -d domain1,domain2,domain3 and it will generate a valid certificate for all those domains using "Certificate Subject Atlernative Name" option.

lcaflc commented Oct 2, 2017

Hi, in response to patch #26, you don't have to use mutliple -d options to the certbot/let'sencrypt tool.
You can use -d domain1,domain2,domain3 and it will generate a valid certificate for all those domains using "Certificate Subject Atlernative Name" option.

@gnat42

This comment has been minimized.

Show comment
Hide comment
@gnat42

gnat42 Oct 2, 2017

that's good to know, however I think even if it does that, it'll have issues finding the certs in /etc/letsencrypt/$DOMAIN/ dir since it expects one domain.

gnat42 commented Oct 2, 2017

that's good to know, however I think even if it does that, it'll have issues finding the certs in /etc/letsencrypt/$DOMAIN/ dir since it expects one domain.

@lcaflc

This comment has been minimized.

Show comment
Hide comment
@lcaflc

lcaflc Oct 4, 2017

For full SNI support you need completely different certificates. So you need to call certbot and import them into zimbra individually for each of your domains. Which means use certbot-zimbra.sh mutliple times should work.

However I don't see any good reason for that because:

  • why doing complicated mutlicert stuff while let's encrypt allow doing the easy way, and even extend a certificate with more aliases.
  • SNI work for the webUI in https protocol, but not for imaps, pops, smtps protocols. So users using those will get warnings about bad certs which should not be the case.

lcaflc commented Oct 4, 2017

For full SNI support you need completely different certificates. So you need to call certbot and import them into zimbra individually for each of your domains. Which means use certbot-zimbra.sh mutliple times should work.

However I don't see any good reason for that because:

  • why doing complicated mutlicert stuff while let's encrypt allow doing the easy way, and even extend a certificate with more aliases.
  • SNI work for the webUI in https protocol, but not for imaps, pops, smtps protocols. So users using those will get warnings about bad certs which should not be the case.
@maxxer

This comment has been minimized.

Show comment
Hide comment
@maxxer

maxxer Aug 21, 2018

Member

Multiple domain support has been implemented in 290e38e.

I've tested it on a deployment I have and certbot appartently places the certs for the first -d specified option, that is zmhostname. So the behavior of the script isn't affected.

At this point I don't know if it's worth making a specific implementation for SNI. People using it can add their feedback here, thanks. I'm keeping the issue open for the discussion

Member

maxxer commented Aug 21, 2018

Multiple domain support has been implemented in 290e38e.

I've tested it on a deployment I have and certbot appartently places the certs for the first -d specified option, that is zmhostname. So the behavior of the script isn't affected.

At this point I don't know if it's worth making a specific implementation for SNI. People using it can add their feedback here, thanks. I'm keeping the issue open for the discussion

@maxxer maxxer changed the title from Support multiple domains to Support multiple domains via SNI Aug 21, 2018

@maxxer

This comment has been minimized.

Show comment
Hide comment
@maxxer

maxxer Aug 22, 2018

Member

Benefits of using SNI:

  1. you just have to restart proxy service after cert deployment
  2. you can mix certs from different CAs

It's apparently widely used in large installation, because of course reduces the cert installation downtime. I'll keep it open in case someone wants to implement it

Member

maxxer commented Aug 22, 2018

Benefits of using SNI:

  1. you just have to restart proxy service after cert deployment
  2. you can mix certs from different CAs

It's apparently widely used in large installation, because of course reduces the cert installation downtime. I'll keep it open in case someone wants to implement it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment