I have tried one client that manages multiple domains but it didn’t satisfy my needs. Two questions:
-
Can anyone name clients they use for managing multiple domains?
-
Would anyone be interested in a client category specifically for that purpose?
Hi @tbrowder,
Certbot is able to issue certificates that cover any number of domains, and also perform automated renewals of many separate certificates. (Just one option.)
hi @tbrowder
I mentioned this in the other post we have, multiple domains are supported by almost every client. Domains usually come from a CSR and most clients have the capability to parse a CSR and request challenges for each domain in the SAN field. Alternatively most clients will take multiple domains from the command line and create a correct CSR for you.
Saying that not every client will do a scan of let’s say a web server configuration and find all domains you are currently working with.
I think a review of SAN in general and CSRs would show what you are proposing is bread and butter stuff and doesn’t really need a new client or new client category.
Andrei
I should have said “multiple certificates.” Most of the clients I have tried (with the exception of acme.sh) are not capable of that.
And wrapping a client to handle a collection of certificates may be bread-and-butter for dome but not for me. Until mod_md is in a stable Apache release, I will work on my own solution for the problem.
Furthermore, I do think there should be a category for such multiple-certificate-manager clients.
neither acme.sh or other clients will issue multiple certificates in one command
reading the acme.sh documentation you run it much like you would certbot.
You specify a set of domains and the client does the work for you and issues one certificate for the domains specified
Certbot is happy to manage multiple certificates for example if you have 10 certificates with various domains and run certbot renew it will check all 10 certificates.
You can run the certbot certificates command at any given time to give you a list of managed certificates.
Maybe a full use case (rather than a brief description) might help simplify and clarify the functionality.
I am not trying to be difficult, but having used a large number of clients I am not sure where the gap that you are trying to fill is.
Andrei
Well, I’m still thinking of the case where you have a big database of domains and you want the client to decide on the issuance strategy and timing for you. Even the multiple invocations based on a text file might be challenging if you’re not familiar with shell scripting.
An example:
CERTBOT_OPTIONS="--apache"
for domain in $(cat domains.txt); do
certbot "$CERTBOT_OPTIONS" -d "$domain"
done
Possibly an example of what @tbrowder said “may be bread-and-butter for some”.
Okay, Andrei, I’m not trying to be difficult either. I haven’t tried cerbot seriously yet because it’s not clear to me yet how the multiple-certificate management works.
Acme.sh can mange multiple certs but is difficult to manage the process IMHO.
My idea for a true cert management system is using either a flat file or some other db to specify exactly what domains are in a cert snd what options to use. If certbot does that I’m obviously not learned enough about it yet. But I will try it more seriously!
In any event, whether there is a new category or not, I don’t see much, if any, mention in the various clients’ description about multiple-certificate management.
It will be a pain but maybe a wikipedia comparison table for acme clients could be started (I just thought of that and will go look for one now). A voting system or referral link for recommendations would also be useful.
Again, I appreciate all who have given so much to this project, including all the client authors!
hi @tbrowder
I did suggest something similar last year Comparison of Lets Encrypt Clients
An understanding of the crypto libraries, capabilities and supported challenges for each client would be great.
In terms of managing lots of certs this is something that a lot of clients can do some work on.
Some of my thoughts:
A) ACME Sharp has the concept of storage providers but it’s hard to implement
B) Have a look at Manage Engines Key Manager Plus. https://www.manageengine.com/key-manager/ Of the clients I have evaluated it seems to be one of the leaders in using a GUI and a database to store relevant information (e.g. certs issued etc). Supported in Linux and windows and is java based
C) Large Providers have coded their own solution with backend databases. A lot of them prefer clients that they can use to take instructions but as you have rightly suggested use wrapper scripts to do the issuing etc.
D) I am working on a proof of concept around powershell and this. Each major component is modular and can share here if you want
E) The other things I think MSPs or people dealing with large number of certs come across. Use of multiple keys (a key per client) to avoid rate limitations and make transfer of service possible (i.e. here is your key you can issue certs with a client of your choice). The ability to co-term certs - for example if you have 10 certs expiring in 20th june and 3 certs expiring on 16th make them all renewed on 15th so next time you have a single time to do the renewals. The ability to do multi challenge per domain. For example: give 3 domains use HTTP challenge for domain 1,2,3 and TLS for domain 4. Most clients stick to one challenge for all domains which I don’t believe gives the flexibility needed.
There are lots of fun challenges with Let’s Encrypt and ACME. The bigger the problem the more complex (not complicated) i believe the solutions need to be. The challenge with Complex solutions is you do need technical people to use them but MSPs and service providers tend to have those.
I believe as the protocol gains adoption there will need to be a wide range of clients (some that just do it all , some that integrate with particular software and some that are libraries that people can adapt)
Andrei
Thanks, Andrei.
Now I’m going to try to move my current certs once again: this time from [C] acme-client’s structure to that of certbot.
I plan to use the webroot method since that worked well with acme-client.
I see the suggestion of linking to the certbot main files as well as the warning about the danger of modifying any file in the certbot file structure. I hope that any damage is repairable!
I tried to use the software here to install a secure server on an apache system running Centos 6 with Vhosts and at the time it got to the end and didn’t work, has it been fixed to do that now? I gave up last time as saw a message that feature was ‘under development’ - must be some time ago as getting certificate renewal notices.
Take a look at acmebot, it’s driven entirely by a flat configuration file (json) and manages any number of certificates. It also has a number of useful features like: allowing multiple certificates to share a private key (for HPKP), parallel RSA and ECDSA certificates, manages backup keys and HPKP headers, sets TLSA records, manages signed certificate transparency (SCT) files, manages OCSP staple files, etc.
Peter, acmebot looks very good! Thanks for the link.
Any plans for a stand-alone mode?
Best regards,
-Tom
Hi Tom, no current plans for a stand-alone mode, but it wouldn’t be too hard to add. Feel free to file an issue requesting it if it’s something you need (so I won’t forget).
I use acmebot on production sites that already have servers listening to port 80 (and 443) or are behind firewalls that don’t allow web access (like XMPP servers), so I haven’t had a need for it personally.
Thanks, Peter. I’m looking at a new dns provider so I can use the dns mode.
BTW, your excellent documentation is a gigantic plus. I don’t remember
seeing your client on the client list, though, but I’m going to look now…
Ah, there it is. I hadn’t really looked at Python clients until I came
back to certbot.
I think I’ll try after I get my domains onto a new dns service.
I’m considering going with Cloudns. What dns service do you use, or do you
run your own authoritative dns servers?
Best,
-Tom
I run my own DNS servers (bind9), if you go that route take a look at bindtool, it helps keep your bind zone files a bit cleaner (and plays nice with acmebot for dns authentication).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.