Certbot - How Do Names in etc/live get chosen

Hello,

I am virtualhosting in Apache and have successfully installed and tested LetsEncrypt using the steps:

$ git clone https://github.com/letsencrypt/letsencrypt
$ pushd letsencrypt
$ ./letsencrypt-auto

I suggested the script to encrypt all domains.

I noticed that the domain listed in the /etc/letsencrypt/live/ directory appears to have been chosen solely by the virtue that it was alphabetically first in the list of hosted domains. The reality is that this particular domain is one that doesn’t transmit mail, receives maybe two messages a year and in 5 months, I will have released it back into the wild outside of my ownership.

What is a method for encouraging LetsEncrypt to choose the default domain differently? Would an expected path to recreate the keys when that day comes in November when I remove the site from /etc/apache2/sites-available ?

In addition to Apache2 traffic, I want to take this stack of cards to the next level. I am setting up the TLS parameters in postfix and would like to choose a key file, in the sense of:

smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem

This raises my second question I have which is more of into the fundamentals of LetsEncrypt. I am also virtual hosting my email across multiple domains. Is the key in /etc/letsencrypt/live/ be expected to match the domain name of the sender or is there some sort of magic that allows the authentication to take place, regardless of the domain? I am hoping that this key would somehow cover all the domains, not just the alphabetical first in the list of those I’m hosting.

First and foremost, I have two goals: Transmitted e-mail not automatically become spam and the ability to have Postfix sort through any email address that ends in a domain I own.

Thanks to everybody, including Seth Schoen whom has helped me in the recent past!

Timothy D. Legg

Hi @timothylegg,

You can choose a name different from the first subject domain name by specifying a --cert-name when initially obtaining the certificate.

[quote]This raises my second question I have which is more of into the fundamentals of LetsEncrypt. I am also virtual hosting my email across multiple domains. Is the key in /etc/letsencrypt/live/ be expected to match the domain name of the sender or is there some sort of magic that allows the authentication to take place, regardless of the domain? I am hoping that this key would somehow cover all the domains, not just the alphabetical first in the list of those I'm hosting.
[/quote]

The certificate name in /etc/letsencrypt/live (among other places that it appears within /etc/letsencrypt) is only used for your own convenience, and is not transmitted or displayed to people who connect to your site. We made the default be based on the first domain name that the certificate covers because we thought that would be intuitive for users who have a relatively small number of domain names.

You could, if you wanted, choose a completely arbitrary certificate name, like --cert-name coconut-ice-cream or --cert-name ancientmariner or --cert-name 8109c7e4143f, and your certificate would still work properly.

Certificates contain their own internal data showing which domain names they apply to. Those domain names are called subject names, and in modern X.509 certificates are represented using a technology called the subject alternative name extension (also known as subjectAltName or SAN). The list of SANs, which is part of the certificate's content, determines whether or not the certificate is considered valid for a particular domain name. It doesn't matter for this purpose what file name the certificate is saved under.

WOW!

Thank you very much!

How did you reach this level of understanding? I’d like to extend upon this further. I would love to be recommended a few choice books on the subject.

Timothy Legg

Hi @timothylegg,

I reached my understanding of the structure of /etc/letsencrypt by being the original author of

Many of these choices were arbitrary and I happened to be part of the group of developers that made them, which gave me a very detailed understanding of the design choices that we made. :slight_smile:

In terms of the X.509 stuff and understanding PKI and TLS, I’ve heard that the best book to read is

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

I have unfortunately not read this book myself, but I’d like to! I’m sure there are other books out there that are helpful as well.

2 Likes

I have also met Ivan Ristić and his knowledge of this area of technology is phenomenal. (I was going to say unparalleled, but I’ve also met some other colleagues who have truly remarkable knowledge of TLS.)

1 Like

hi @schoen

It’s definitely a good book. Will see if I can get the certbot team a copy that can be distributed.

It’s what I use for most of what I do. Also use a few NIST resources which are available at no cost but are a bit more of a technical read.

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.