New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unneccesary separate cert for www-subdomain? #2
Conversation
- `cat` to the point - separate cert for `www.` subdomain, why? eps if you set `www CNAME @` in dns settings
Thank you for your pull request! Points 1 and 3 are perfectly fine and will be merged. For the separate certificate for the www subdomain: AFAIK a TLS certificate holds the complete domain name for which it was issued. You're suggesting me what was asked here and the answer was to use a different certificate for every subdomain, although using a CNAME record. Hence, if you can remove the second point, restoring the www subdomain row, I'll be happy to merge your PR. |
¯\_(ツ)_/¯ it worked for my thing with www. sitting on the same cert and neither chrome nor firefox showed errors using |
I don't know why it worked. From what I know, it shouldn't. Maybe it could be something like Cloudflare that's handling https automatically for you? Or maybe I am wrong about how certs work, it's possible. However thank you for your last commit, I'm gonna merge your PR right now. |
no CDNs were used in my case.. i'll check tomorrow if it would work with some another random subdomain |
/rel certbot/certbot#2230
does work, i checked twice |
In this way aren't you generating a different certificate for each subdomain? I mean, I need to know the subdomain for which I have to generate the certificates, although you're then using the same certificate for any different subdomains (in short, with -d sub1, -d sub2, ... -d subN you're embedding into the same cert N separate certificates). What I'm trying to say is that since the Hence, if you want to change the structure of |
something like this? #!/usr/bin/env bash
set -e
# begin configuration
set_of_sets=( \
"nerdz.eu w.nerdz.eu ww.nerdz.eu www.nerdz.eu wwww.nerdz.eu wwwww.nerdz.eu" \
"example.com sub.example.com" \
"otherwebsite.net sub1.otherwebsite.net sub2.otherwebsite.net" \
)
email=nessuno@nerdz.eu
w_root=/home/nessuno/
user=nessuno
group=nessuno
# end configuration
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
for domain_set_string in "${set_of_sets[@]}"; do
domain_set=(${domain_set_string// / })
domain=${domain_set[0]}
all_subdomains="-d www.${domain_set[0]}"
for sub_domain in "${domain_set[@]}"; do
all_subdomains="$all_subdomains -d $sub_domain"
done
/usr/bin/certbot certonly --agree-tos --renew-by-default \
--email $email --webroot -w $w_root$domain \
$all_subdomains
cat /etc/letsencrypt/live/$domain/privkey.pem \
/etc/letsencrypt/live/$domain/cert.pem \
> /etc/lighttpd/$domain.pem
cp /etc/letsencrypt/live/$domain/fullchain.pem \
/etc/lighttpd/
chown -R $user:$group /etc/lighttpd/
done |
Nice! I just made some changes, what do you think of: #!/usr/bin/env bash
set -e
# begin configuration
domain_subdomains=( \
"nerdz.eu w ww www mobile static" \
"example.com sub" \
"otherwebsite.net sub1 sub2" \
)
email=nessuno@nerdz.eu
w_root=/home/nessuno/
user=nessuno
group=nessuno
# end configuration
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
for domain_set_string in "${domain_subdomains[@]}"; do
domain_set=(${domain_set_string// / })
domain=${domain_set[0]}
unset domain_set[0]
all_subdomains="-d $domain"
for sub_domain in "${domain_set[@]}"; do
all_subdomains="$all_subdomains -d $sub_domain.$domain"
done
/usr/bin/certbot certonly --agree-tos --renew-by-default \
--email $email --webroot -w $w_root$domain \
$all_subdomains
cat /etc/letsencrypt/live/$domain/privkey.pem \
/etc/letsencrypt/live/$domain/cert.pem \
> /etc/lighttpd/$domain.pem
cp /etc/letsencrypt/live/$domain/fullchain.pem \
/etc/lighttpd/
chown -R $user:$group /etc/lighttpd/
done ? |
looks good |
Alright then, if you want to try this change and make a PR I'll be happy to accept it (because the idea was yours and the commit should be yours to be fair) |
@galeone - One TLS certificate can have multiple host names, through the use of subject alternative names. This is commonly used to use the same cert for both
|
or one wildcard cert to catch em all |
Yeah, Let's Encrypt supports wildcard certs now, but Subject Alternative Names are still useful as you can have multiple wildcard domains on a single cert (eg. |
i rather not -- this would mean revoking (for whatever reason) will also affect all of them at once, and this should never happen. |
cat
to the pointseparate cert forwww.
subdomain, why?eps if you set
www CNAME @
in dns settingssome readability for long lines