I noticed that the domain listed in the /etc/letsencrypt/live/ directory appears to have been chosen solely by the virtue that it was alphabetically first in the list of hosted domains. The reality is that this particular domain is one that doesn’t transmit mail, receives maybe two messages a year and in 5 months, I will have released it back into the wild outside of my ownership.
What is a method for encouraging LetsEncrypt to choose the default domain differently? Would an expected path to recreate the keys when that day comes in November when I remove the site from /etc/apache2/sites-available ?
In addition to Apache2 traffic, I want to take this stack of cards to the next level. I am setting up the TLS parameters in postfix and would like to choose a key file, in the sense of:
This raises my second question I have which is more of into the fundamentals of LetsEncrypt. I am also virtual hosting my email across multiple domains. Is the key in /etc/letsencrypt/live/ be expected to match the domain name of the sender or is there some sort of magic that allows the authentication to take place, regardless of the domain? I am hoping that this key would somehow cover all the domains, not just the alphabetical first in the list of those I’m hosting.
First and foremost, I have two goals: Transmitted e-mail not automatically become spam and the ability to have Postfix sort through any email address that ends in a domain I own.
Thanks to everybody, including Seth Schoen whom has helped me in the recent past!
You can choose a name different from the first subject domain name by specifying a --cert-name when initially obtaining the certificate.
[quote]This raises my second question I have which is more of into the fundamentals of LetsEncrypt. I am also virtual hosting my email across multiple domains. Is the key in /etc/letsencrypt/live/ be expected to match the domain name of the sender or is there some sort of magic that allows the authentication to take place, regardless of the domain? I am hoping that this key would somehow cover all the domains, not just the alphabetical first in the list of those I'm hosting.
[/quote]
The certificate name in /etc/letsencrypt/live (among other places that it appears within /etc/letsencrypt) is only used for your own convenience, and is not transmitted or displayed to people who connect to your site. We made the default be based on the first domain name that the certificate covers because we thought that would be intuitive for users who have a relatively small number of domain names.
You could, if you wanted, choose a completely arbitrary certificate name, like --cert-name coconut-ice-cream or --cert-name ancientmariner or --cert-name 8109c7e4143f, and your certificate would still work properly.
Certificates contain their own internal data showing which domain names they apply to. Those domain names are called subject names, and in modern X.509 certificates are represented using a technology called the subject alternative name extension (also known as subjectAltName or SAN). The list of SANs, which is part of the certificate's content, determines whether or not the certificate is considered valid for a particular domain name. It doesn't matter for this purpose what file name the certificate is saved under.
I reached my understanding of the structure of /etc/letsencrypt by being the original author of
Many of these choices were arbitrary and I happened to be part of the group of developers that made them, which gave me a very detailed understanding of the design choices that we made.
In terms of the X.509 stuff and understanding PKI and TLS, I’ve heard that the best book to read is
I have also met Ivan Ristić and his knowledge of this area of technology is phenomenal. (I was going to say unparalleled, but I’ve also met some other colleagues who have truly remarkable knowledge of TLS.)
