Topic: multiple ssl certs in multidomains serv case

[flep]

Hello,

At this time i understand that sme server can handle one ssl cert for all fonctions.

In the case of multi-domains how to configure multiple certs, one for each fqdn ?

[DanB35]

You know you can have multiple domains on a single cert, right?

[CharlieBrady]

In the case of multi-domains how to configure multiple certs, one for each fqdn ?

SME server currently has no support for SNI configuration, and not all clients will support it anyway.

See:

https://en.wikipedia.org/wiki/Server_Name_Indication

[Stefano]

please follow here

http://bugs.contribs.org/show_bug.cgi?id=8693

[Stefano]

SME server currently has no support for SNI configuration, and not all clients will support it anyway.

See:

https://en.wikipedia.org/wiki/Server_Name_Indication

according to the page you linked, we'd not worry too much about clients..

[flep]

in the idea of a letsencrypt implementation i dont think that one cert that embed all fqdn in the machine is a good solution.

the proposal of unimilenium in http://bugs.contribs.org/show_bug.cgi?id=8693 will simplify a letsencrypt contrib.

[DanB35]

in the idea of a letsencrypt implementation i dont think that one cert that embed all fqdn in the machine is a good solution.

Why not?  A letsencrypt cert can have up to 100 SANs, which should fit most use cases where SME would be deployed.  I'm far from a TLS guru, but I don't see why this would be a bad thing.

[flep]

at this time letencrypt only allow renewal every 7 days.

if you add or delete new fqdn in your server you have to wait 7 days to be able to update the 'all-in-one' cert.

On the over side people who have already buy a commercial cert or use a startssl one  may want to keep their existing cert.

[DanB35]

at this time letencrypt only allow renewal every 7 days.

Letsencrypt issues up to five certificates for a given domain every seven days (with the current rate limits).

Edit:  And just for the sake of testing... my automated renewal ran successfully last night at 22:48.  It's now 9:52, and I just successfully renewed that same cert.  That's a renewal less than 12 hours after the last one.  So it is pretty clearly not the case that LE limits renewals to every 7 days, at least at this time.  You can probably see them both on https://crt.sh/?q=familybrown.org (the one I just made isn't showing there yet, but I expect it will propagate shortly).

Where I do see value in SNI is if you're providing web hosting to others, and (1) you don't want to take your web server down (however briefly) every time you add a domain for one of your customers, and/or (2) your customers want their own TLS certs (perhaps they want an EV cert).  That would, I think, call for SNI, but I'm not sure how common of a use case that is for an SME server.