Generating certs for www and non-www


#1

I’m on Openshift running Rails 4.

On my local machine I do this to generate certs for my site, and I specify www and non-www because I have to have one cert for each (right?):

sudo ./letsencrypt-auto certonly --manual -d ajdl.co.uk -d www.ajdl.co.uk

And then I get my Rails controller to render text based on the URL specified in the letsencrypt program which is running in my shell.

get '/.well-known/acme-challenge/xZap1XGnim..... (etc)' => 'pages#letsencrypt'

And

class PagesController < ApplicationController
  def letsencrypt
    render text: "xZap1XG... (etc)"
  end
end

After hitting enter, the shell immediately returns to the screen which asks me whether I want my IP to be stored and starts a 2nd run-through of the steps. So I change my controller to render text based on the new URL.

Then I hit enter and letsencrypt complains because my first URL is no longer valid!

Does this mean that I have to render two responses on the same page based on whether letsencrypt is trying to access via www or non-www? I’m confused.

Sorry for the noobish question.


#2

Each response has it’s own URL, you need to be serving them all.


#3

The challenge token (and therefore the path) is different for each FQDN on your certificate. Preferably you wouldn’t serve the challenge based on the domain, but based on the requested path. So basically you’d have a route for /.well-known/acme-challenge/[random_token] and would serve the challenge token based on the value of [random_token].

There are also a number of clients and libraries for Ruby that might help with this here.

PS:

Technically what you’re requesting is one certificate that covers multiple domains, using the Subject Alternative Name (SAN) extension.


#4

Great, thanks both. I ended up putting 2 actions in my controller to serve each request based on the random token, as you advised. As expected, it worked.

I didn’t use the Ruby / Rails gems because Openshift is still languishing with Ruby 2.0.0 and most of the gems require >=2.1