unneccesary separate cert for www-subdomain?

[ghost]

• cat to the point

• separate cert for www. subdomain, why?
  eps if you set www CNAME @ in dns settings

• some readability for long lines

[galeone]

Thank you for your pull request!

Points 1 and 3 are perfectly fine and will be merged. For the separate certificate for the www subdomain: AFAIK a TLS certificate holds the complete domain name for which it was issued.
Thus, if I want that both the root and the www subdomain have HTTPS enabled, you have to have 2 different certificates. This is not true only if we have a wildcard certificate, but let's encrypt does not support them (yet).

You're suggesting me what was asked here and the answer was to use a different certificate for every subdomain, although using a CNAME record.

Hence, if you can remove the second point, restoring the www subdomain row, I'll be happy to merge your PR.

[ghost]

¯\_(ツ)_/¯ it worked for my thing with www. sitting on the same cert and neither chrome nor firefox showed errors

using certbot certonly --standalone -d <DOMAIN.TLD> -d <WWW.DOMAIN.TLD> ?

[galeone]

I don't know why it worked. From what I know, it shouldn't. Maybe it could be something like Cloudflare that's handling https automatically for you? Or maybe I am wrong about how certs work, it's possible.

However thank you for your last commit, I'm gonna merge your PR right now.

[ghost]

no CDNs were used in my case..

i'll check tomorrow if it would work with some another random subdomain

[ghost]

/rel certbot/certbot#2230

certbot certonly --standalone -d <DOMAIN.TLD> -d <WWW.DOMAIN.TLD> -d <SUB1.DOMAIN.TLD> -d <SUB2.DOMAIN.TLD>

does work, i checked twice
try it out

[galeone]

In this way aren't you generating a different certificate for each subdomain? I mean, I need to know the subdomain for which I have to generate the certificates, although you're then using the same certificate for any different subdomains (in short, with -d sub1, -d sub2, ... -d subN you're embedding into the same cert N separate certificates).

What I'm trying to say is that since the renew.sh script should be general, we have to find a way to specify the list of the subdomains we want to embed into the certificate we're generating.

Hence, if you want to change the structure of renew.sh in order to specify a list of root domains (e.g. nerdz.eu, example.com, otherwebsite.net) and a list of subdomains for each root domain, you're welcome.

[ghost]

something like this?

#!/usr/bin/env bash
set -e

# begin configuration

set_of_sets=( \
"nerdz.eu w.nerdz.eu ww.nerdz.eu www.nerdz.eu wwww.nerdz.eu  wwwww.nerdz.eu" \
"example.com sub.example.com" \
"otherwebsite.net sub1.otherwebsite.net sub2.otherwebsite.net" \
            )
email=nessuno@nerdz.eu
w_root=/home/nessuno/
user=nessuno
group=nessuno

# end configuration

if [ "$EUID" -ne 0 ]; then
    echo  "Please run as root"
    exit 1
fi


for domain_set_string in "${set_of_sets[@]}"; do
    domain_set=(${domain_set_string// / })
    domain=${domain_set[0]}

    all_subdomains="-d www.${domain_set[0]}"
    for sub_domain in "${domain_set[@]}"; do
        all_subdomains="$all_subdomains -d $sub_domain"
    done

    /usr/bin/certbot certonly --agree-tos --renew-by-default \
        --email $email --webroot -w $w_root$domain \
        $all_subdomains
    cat /etc/letsencrypt/live/$domain/privkey.pem \
        /etc/letsencrypt/live/$domain/cert.pem \
        > /etc/lighttpd/$domain.pem
    cp /etc/letsencrypt/live/$domain/fullchain.pem \
       /etc/lighttpd/
    chown -R $user:$group /etc/lighttpd/
done

[galeone]

Nice! I just made some changes, what do you think of:

#!/usr/bin/env bash
set -e

# begin configuration
domain_subdomains=( \
"nerdz.eu w ww www mobile static" \
"example.com sub" \
"otherwebsite.net sub1 sub2" \
)
email=nessuno@nerdz.eu
w_root=/home/nessuno/
user=nessuno
group=nessuno

# end configuration

if [ "$EUID" -ne 0 ]; then
    echo  "Please run as root"
    exit 1
fi

for domain_set_string in "${domain_subdomains[@]}"; do
    domain_set=(${domain_set_string// / })
    domain=${domain_set[0]}
    unset domain_set[0]

    all_subdomains="-d $domain"
    for sub_domain in "${domain_set[@]}"; do
        all_subdomains="$all_subdomains -d $sub_domain.$domain"
    done

    /usr/bin/certbot certonly --agree-tos --renew-by-default \
        --email $email --webroot -w $w_root$domain \
        $all_subdomains
    cat /etc/letsencrypt/live/$domain/privkey.pem \
        /etc/letsencrypt/live/$domain/cert.pem \
        > /etc/lighttpd/$domain.pem
    cp /etc/letsencrypt/live/$domain/fullchain.pem \
       /etc/lighttpd/
    chown -R $user:$group /etc/lighttpd/
done

?

[ghost]

looks good

[galeone]

Alright then, if you want to try this change and make a PR I'll be happy to accept it (because the idea was yours and the commit should be yours to be fair)

[Daniel15]

I don't know why it worked. From what I know, it shouldn't.

@galeone - One TLS certificate can have multiple host names, through the use of subject alternative names. This is commonly used to use the same cert for both example.com and www.example.com, but the domains don't need to be related at all. Let's Encrypt allow up to 100 names on a single certificate:

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate

(https://letsencrypt.org/docs/rate-limits/)

[ghost]

or one wildcard cert to catch em all

[Daniel15]

Yeah, Let's Encrypt supports wildcard certs now, but Subject Alternative Names are still useful as you can have multiple wildcard domains on a single cert (eg. *.foo.com and *.bar.com) :)

[ghost]

i rather not -- this would mean revoking (for whatever reason) will also affect all of them at once, and this should never happen.