Domain name alias and certification


#1

is it possible to certify a domain alias name? i have a domain with multiple aliases (multiuser Wordpress).

i would like to certify all the alias names. the main domain was certified without any problems, but the alias names are not answering with “https://” 443.


#2

Did you use certbot to obtain your certificate? If so, did you use the Apache or Nginx automatic installer?

Does your browser time out or do you get some error page from your webserver when you try and visit one of the other domains over HTTPS? Can you provide an affected site?

What operating system and web server software are you using? Does it run any other websites or is it solely for WordPress MU? Does your main domain also use the same WPMU instance?


#3

hello Patches -

this is centos-7 running apache:

httpd -v ;
Server version: Apache/2.4.6 (CentOS)
Server built: Sep 20 2017 01:44:44

to create the certs, i did the following:

certbot --apache certonly;

and that created the following certs for me:

ls -l /etc/letsencrypt/live/DOMAIN.com/;
total 1
lrwxrwxrwx 1 root root 47 Mar 15 02:00 cert.pem -> …/…/archive/DOMAIN.com/cert1.pem
lrwxrwxrwx 1 root root 48 Mar 15 02:00 chain.pem -> …/…/archive/DOMAIN.com/chain1.pem
lrwxrwxrwx 1 root root 52 Mar 15 02:00 fullchain.pem -> …/…/archive/DOMAIN.com/fullchain1.pem
lrwxrwxrwx 1 root root 50 Mar 15 02:00 privkey.pem -> …/…/archive/DOMAIN.com/privkey1.pem

and this is a section of my httpd.conf file:

ServerName DOMAIN.com
ServerAlias *.DOMAIN.com
ServerAlias www.DOMAIN.com
ServerAlias webmail.DOMAIN.com
ServerAlias admin.DOMAIN.com
ServerAlias CHILDDOMAIN_ONE.com
ServerAlias www.CHILDDOMAIN_ONE.com
ServerAlias CHILDDOMAIN_TWO.com
ServerAlias www.CHILDDOMAIN_TWO.com
ServerAlias CHILDDOMAIN_THREE.com
ServerAlias www.CHILDDOMAIN_THREE.com
ServerAlias CHILDDOMAIN_FOUR.com
ServerAlias www.CHILDDOMAIN_FOUR.com
etc etc
etc
etc
SSLCertificateFile /etc/letsencrypt/live/DOMAIN.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/DOMAIN.com/chain.pem

i cannot find any apache examples of how each ServerAlias can get seperately certified.


#4

They can’t. You have to list them all on one certificate:

sudo certbot certonly --apache -d domain.com,www.domain.com,sub1.domain.com,sub2.domain.com,domain2.com,www.domain2.com,[...]

Let’s Encrypt allows you to list up to 100 names on one certitificate. If you really need a wildcard, you can do that as of yesterday, but you have to use DNS authentication instead of --apache so it is best to avoid it if you can.

Otherwise if you really want individual certificates you have to have individual <VirtualHost> entries to configure them in.


#5

i did yum-install and have certbot 0.22.0 – when you say “yesterday” i assume that is in 0.23.0? it might be a little wait until 0.23.0 is available on yum.

i can probably eliminate the wildcard, or at least its worth trying.


#6

certbot 0.23.0 defaults to using the new ACMEv2 service that offers wildcard certificates, but it is possible to use certbot 0.22.0 by passing it a flag.

The main issue is that HTTP authentication methods are not permitted for wildcard certificates. Certbot doesn’t support using different authentication methods in the same certificate (nor does any other ACME client AFAIK), and doing DNS TXT authentication for dozens of random domains is…difficult to say the least.

If you really need the wildcard you could achieve it with a two-VirtualHost setup, one with a DNS authenticated wildcard certificate and the other with a HTTP-authenticated certificate listing the rest of the domains. This is basically what WordPress.com does, except they have thousands of the “other certificates”. :wink:


#7

it sounds like my best option is to have two virtual-servers, one for the parent (with wildcard), and the other for all the alias domains.

i am just going to guess that all i need to do is to make sure the new virtual-server (with all the aliases) has the same DocumentRoot location as the parent.

you said:

The main issue is that HTTP authentication methods are not permitted for wildcard certificates.

i did read this wildcard link - is this the same thing?

Will Let’s Encrypt issue wildcard certificates?
Let’s Encrypt has announced wildcard support coming January 2018. Certbot plans to add support for wildcard certificates when Let’s Encrypt starts issuing them.

patches - i want to thank you for your patience with me.


#8

Hi,

The issue with Apache is one vHost can only have one ssl certificate. So if you wish to have two cert for different domain, the best option is use two vHost.

You probably need the same config for WordPress mutisite too (just different cert file and alias (domains)

What he means is, since letsencrypt doesn’t allow to use http-01 challenge for wildcard certs, you will need to use DNS challenge (add DNS txt record for the domain) (you can always use www and root, wildcard just more convenient for Mass subdomains).
For other domain (your alias), you can use either DNS or http challenges, however use http would be most convenient since all domain are already pointed to your server.

Thank you


#9

That FAQ is out-of-date. Let’s Encrypt supports wildcard certificates now, and Certbot supports them as of version 0.22.0.


#10

Whoops, great catch @edwardsmarkf and @mnordhoff!


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.