Best way to deploy wildcard certificate to multiple servers


#1

Hi everyone,

My domain is cavazos.cc This is a private home setup, not hosted. I lof directly into each of the boxes to do admin tasks.

I have a Synolog router with a static IP address. Access to this router from the internet is via https://cavazos.cc:8000. Connected to this router are three boxes. One Synology NAS with several services running (email, file sharing, etc.) access to this box is via https://cavazos.cc: or https://mail.cavazos.cc depending on the service being accessed. the other two boxes have Ubuntu 16.04 installed running latest Apache and using ports 80 and 443. I use Webmin to manage the linux boxes.

My questions: Can I use a wildcard certificate covering all the *.cavazos.cc addresses? If so, can I have a single certbox running to retrieve the certificate and copy it to the different boxes? Or is it possible to install the certificate only in the router?

Thanks for your help,
Alex


#2

Certbot doesn’t support this out of the box, but it’s certainly possible. I outlined a sketch of how to do it in this post: Automated deployment of key/cert from reverse proxy to internal systems

You’d have to customize it to issue a wildcard certificate, which means you’d also have to use DNS-based validation.

If you can set up a reverse proxy (such as nginx or haproxy) on the router to listen on ports 80 and 443, sure. That’s mostly up to whether your router supports it.

Consider also setting up a reverse proxy server inside your network, forwarding ports 80 and 443 on your router to it, and then handling SSL there. That would be the sanest solution that avoids copying certificates around.

Unless you have a lot (20+) of hostnames, you could just also use one certificate per hostname, running Certbot on each server. It’s the most reliable solution and the simplest too.


#3

Thanks!, I’ll dig into the proxy server as it seems to be the most straightforward solution.

  • Alex

#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.