Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: calisun on July 09, 2020, 07:39:26 AM

Title: Letsencrypt clarification
Post by: calisun on July 09, 2020, 07:39:26 AM

Sorry for a dumb question, but I have searched and looked through wiki and no luck.

I have couple of domains that use Letsencrypt for couple of years now, everything works great.

Now I need to add couple more domains. My question is, when adding new domains, do I also need to list existing domains as well or just list new domains?

for an example:

existing domains
domain1.com
domain2.com

so should I just do:
db domains setprop domain3.com  letsencryptSSLcert enabled
db hosts setprop www.domain3.com letsencryptSSLcert enabled
db domains setprop domain4.com  letsencryptSSLcert enabled
db hosts setprop www.domain4.com letsencryptSSLcert enabled

Or do I need to re-list old domains as well?

db domains setprop domain1.com  letsencryptSSLcert enabled
db hosts setprop www.domain1.com letsencryptSSLcert enabled
db domains setprop domain2.com  letsencryptSSLcert enabled
db hosts setprop www.domain2.com letsencryptSSLcert enabled
db domains setprop domain3.com  letsencryptSSLcert enabled
db hosts setprop www.domain3.com letsencryptSSLcert enabled
db domains setprop domain4.com  letsencryptSSLcert enabled
db hosts setprop www.domain4.com letsencryptSSLcert enabled

Title: Re: Letsencrypt clarification
Post by: ReetP on July 09, 2020, 10:09:30 AM

Can't add a key that is already there :-)

Just add your new ones and update with console-save and dehydrated -c -x (check wiki)

But make sure you are using API 2. Old certs under API 1 can be renewed but new ones will not be issued.

Also, set test mode again to check unless you are absolutely sure the domains/hosts are resolvable.

Title: Re: Letsencrypt clarification
Post by: calisun on July 12, 2020, 12:15:44 AM

Thank you,

I have another question, is it possible for certificate not to list all domains on one certificate?

when looking at certificate I see:

Subject Name ---------------------
Common Name MyCompanyURL.com

Subject Alt Names -----------------
DNS Name   domain1.com
DNS Name   domain2.com
DNS Name   domain3.com
DNS Name   domain4.com

And above information shows even if I did Not go to "MyCompanyURL.com" I went to "domain1.com" but it still shows "MyCompanyURL.com" and all other Domains on one certificate.
 
Is it possible for each domain not link to other domains, but be it's own certificate holder?

Title: Re: Letsencrypt clarification
Post by: ReetP on July 12, 2020, 07:58:28 PM

Simple answer is yes.

But.....

You're going to have to wrote a load of code yourself.

First, list each domain and it's hosts per line in domains.txt

That will get you 'per domain' certificates.

Now you just have to deploy them per domain via apache..... which is where your fun will start.

We may be doing this in v10 (if we have time and help), but on v9 we just did KISS.

Title: Re: Letsencrypt clarification
Post by: calisun on July 12, 2020, 11:15:57 PM

Thank you ReetP.

I did some digging around and found this. Is this pointing me in the right direction?

https://www.digicert.com/kb/ssl-support/apache-multiple-ssl-certificates-using-sni.htm (https://www.digicert.com/kb/ssl-support/apache-multiple-ssl-certificates-using-sni.htm)

Title: Re: Letsencrypt clarification
Post by: ReetP on July 12, 2020, 11:24:02 PM

Probably.

It will likely change with v10 (apache + php fpm etc) so I wouldn't waste too much time on it.

We're too busy trying to get v10 out to worry about development on v9 so you're on your own here I'm afraid.

I'd focus your efforts on helping with v10.