Cert for same dns name but different server


#1

hi all,

i have a dns name robo84.ddns.net so its just a domain name not a host name otherwise i would have made different hosts one called email.robo84.ddns.net, remote.robo84.ddns.net, web.robo84.ddns.net, etc, etc for different public servers i host

now if i have 2 apache servers one http/port 80 and the other https/port 443 and i NAT/port forword them to the 2 different apache servers respectively

do i craete a new cert for each server or do i create a new cert for server A and create a link to server B so it can get the cert of the server A and use the cert of the server A?

many thanks

rob


#2

I’m a little unclear of your setup ( probably me )

You say upi have 2 servers, but “one http/port 80 and the other https/port 443” … only one of them * the https/port 443" requires a cert, and the other (http) does not. So why do you need to copy or link a cert ? as only one server is providing https


#3

good point stupid me http is not encrypted so i wont have this problem, ha what a donut


#4

does lets encrypt only do web servers ie apache servers and not any other service ie ftps, smtps, imaps or pop3s


#5

Certs can be used for any type of server, a webserver is only needed if using the http-01 challenge.


#6

The certificates issued by Let’s Encrypt have an Extended Key Usage filled out for SSL/TLS servers and clients only. Most encrypted services use SSL / TLS, including all the ones you mentioned, if you run such services from the same machine (under the same hostname) you can use the same certificate for those services as for your HTTPS server. If you have another name (e.g. www.example.com could be a web server while mail.example.com is an IMAP server, on the same physical hardware) you will need either a certificate with both names in it, or, two different certificates.

Some services do not use SSL or TLS. Most obviously SSH (including its built-in SFTP / SCP service) which uses its own “trust on first use” approach in most deployments, and some low level network services. The S/MIME secure email system is also separate. In those cases you’d probably need a different certificate which Let’s Encrypt does not issue, or a self-signed certificate might be fine.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.