Re: [GTALUG] SSL Certs for both web and email servers
On Tue, 2020/12/01 08:16:49AM +0200, ac via talk <talk@gtalug.org> wrote: | > I have three domains and a small but invariant number of subdomains | > that I want to encrypt - should I try to pull them all under one SSL | > cert, or do one for each domain, or one for every subdomain? I don't | > need a wildcard, but I would like something relatively painless if | > possible. | | yes, in your case, and for painless and easy, just use the domain name | and one cert. so, instead of mail.example.com and www.example.com | - just use example.com. I think that might cause client complaints in some cases. I think letsencrypt now provides wildcard certifications, but you can use mutliple -d options when creating or updating a certificate e.g. certbot certonly \ --non-interactive \ --expand \ --webroot \ -w /var/www/html/letsencrypt \ --cert-name www.example.com \ -d example.com \ -d mail.example.com \ -d blog.example.com And then the one certificate is valid for all those names. Hope that helps - letsencrypt is really remarkably convenient. John
On Tue, 1 Dec 2020 03:34:06 -0500 John Sellens via talk <talk@gtalug.org> wrote:
On Tue, 2020/12/01 08:16:49AM +0200, ac via talk <talk@gtalug.org> wrote: | > I have three domains and a small but invariant number of subdomains | > that I want to encrypt - should I try to pull them all under one SSL | > cert, or do one for each domain, or one for every subdomain? I don't | > need a wildcard, but I would like something relatively painless if | > possible. | | yes, in your case, and for painless and easy, just use the domain name | and one cert. so, instead of mail.example.com and www.example.com | - just use example.com.
I think that might cause client complaints in some cases.
imho i do not think with three domains this will be an issue. what is the point of having mail.example.com if the IP number for mail.example.com is the same as example.com ? the same can be asked about imap.example.com and pop.example.com etc. This is just wasteful and increases the risk of issues, ads complexity and does not serve any "real" technical, logical or functional purpose. The reason why mail.example.com used to be prevalent - pre container - was because mail.example.com - was at a different IP number / different network even... And, actually even if you had 100 domains on one server: reducing complexity, reducing the amount of DNS lookups and reducing pebcac, reducing comms, reducing traffic, reducing load and reducing wastage - means: You are making it easier for clients And : You are even saving cycles, saving electricity, saving network traffic and TOOOTEROOO: Saving the planet in case you did not know: In 2020 - 2030 - we will still get the vast majority of our power from non sustainable fossil sources. so, we should all try to be less wasteful, mind you, now with Alaska being strip mined and auction sold, the planet has a lot more to waste.
I think letsencrypt now provides wildcard certifications, but you can use mutliple -d options when creating or updating a certificate e.g.
certbot certonly \ --non-interactive \ --expand \ --webroot \ -w /var/www/html/letsencrypt \ --cert-name www.example.com \ -d example.com \ -d mail.example.com \ -d blog.example.com And then the one certificate is valid for all those names.
a small number of invariant sub domains usually means www.example.com, pop.example.com, mail.example.com, imap.example.com and in this case - x3 domains but, one could also wildcard (*) just simply -d *.example.com and add _acme-challenge TXT record to example.com dns zone (auth: preferred-challenges=dns - when you apply for cert) depending on your resources and very importantly, your dns servers timeouts, rate_limits and other issues, there could be pain/risk with multiple/many -d every 90 days
Hope that helps - letsencrypt is really remarkably convenient.
indeed it is.
John --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
participants (2)
-
ac -
John Sellens