Create multiple certificates

[alex88]

Hi there, not sure if i can be done or if it's worth it, but do you have any plans to create multiple certificates instead of having one with multiple hostnames?
I think it could be useful for big projects where a company would like to not expose other services domains in the certificate.

I imagine having the same comma-separated list of domains but instead of having everything in a certificate, use the certificate field as a prefix for the new certificates it's going to create

[zambon]

@alex88 Have you considered deploying a Let's Encrypt stack for the first certificate, and then add new services (or clone and modify) for the following certificates?

It may be a lot of work, but it'd be easy to manage in Rancher.

[alex88]

@zambon that's what I'm doing right now, I'm just wondering what will happen when a new version is released :D we've now 20 instances running

[janeczku]

Sound like a reasonable enhancement.
What about an option to make it create one certificate per given domain instead of a SAN certificate. And the resulting single-domain certs would be named using the value of the certificate name field suffixed with the domain. Thoughts @alex88 @zambon?

[alex88]

How about using a single docker containers with the domains in one single variable, with each certificate separated by semicolon and each domain by a comma? Too complex for the user?
Also creating n certificates in rancher with a prefix and using the first certificate name as the rancher cert name.

e.g.:

site1.com,www.site1.com;site2.com,www.site2.com,site3.com

certs in rancher: <prefix>-site1.com, <prefix>-site2.com
domains in <prefix>-site1.com: site1.com,www.site1.com
domains in <prefix>-site2.com: site2.com,www.site2.com,site3.com

[zambon]

@janeczku That sounds good! Having the option to choose is essential though, as larger deployments may cause the service to run into rate limits.

@alex88 I like your idea too. It may be simpler if the catalog used a multiline textbox, then you could have a line-based separation, instead of semicolon-base. E.g.:

site1.com, www.site1.com
site2.com, www.site2.com, site3.com

BTW @alex88, I don't mean to sidetrack into another conversation, but how to you handle having many certificates? Do you run one (set of) load balancer(s) per stack? (I'm currently using a "global" load balancer in my deployments, which means I need to have a single certificate)

[alex88]

@zambon I have a single load balancer running on every instance which has a main certificate and multiple others, SNI support is good enough for us, so it sends the right certificate for the right domain

[janeczku]

@alex88 Yeah that was the other option. Using a multiline text field as suggested by @zambon seems like the best way to go about this.

@zambon Rate-limits will be an issue, both on the LE CA side and for some of the DNS providers.

[alex88]

@janeczku are there multiline textboxes when creating it? The problem comes later when you've to upgrade the env variables and the input is not multiline

[janeczku]

@alex88 good thinking. Is this something you are regulary doing? I mean upgrading the env vars to change the certificates?

[alex88]

Well I did it every 4-5 days now that we just started using letsencrypt and so we've migrated many certificates.
Otherwise nope, it's not something common. Btw, I've just tested and it supports multiline (at least the env variable field) so I agree, multiline is easier to read and to edit

[alex88]

Catalog templates also support multiline inputs as textarea, so it should work

[ffittschen]

@janeczku I would agree with @zambon, that it is necessary to be able to choose whether to have certificates with SANs or single-domain certificates (for my use-case I'd prefer the certificates with SANs). But the multiline idea would solve that quite well:

• for certificates with SANs one would have one certificate per line, CN at the front and SANs following
• for single-domain certificates one would write every domain in a new line

Regarding the rate-limits: Since December 2016 there are additional rate limits to the cert per week-limits. The most important one would be

The “new-reg”, “new-authz” and “new-cert” endpoints have an Overall Request Per Second rate limit of 20 requests per second. All other endpoints have a rate limit of 2000 requests per second.

[gizmotronic]

I'd like to be able to mix and match single-domain certificates and certificates with SANs. For now I have three separate containers, each with an identical configuration (included shared storage volume) except for the certificate name, domain names, and renewal time.

[iBobik]

How about to get domains list from the load balancer? #67

[maxfriedmann]

Any updates on this? I really like the suggestion from @alex88, its how we used to work with the dockercloud & JrCs/docker-letsencrypt-nginx-proxy-companion, but #67 would be the greatest solution!

[iBobik]

As an alternative I recommend this: https://github.com/adi90x/rancher-active-proxy Jan Pobořil https://honza.poboril.cz/ 4. 3. 2018 v 6:56, Maximilian Friedmann <notifications@github.com>:

…

Any updates on this? I really like the suggestion from @alex88, its how we used to work with the dockercloud & JrCs/docker-letsencrypt-nginx-proxy-companion, but #67 would be the greatest solution! — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[karael]

Any updates on this? I really like the suggestion from @alex88, its how we used to work with the dockercloud & JrCs/docker-letsencrypt-nginx-proxy-companion, but #67 would be the greatest solution!

I agree