Hard time adding (client) domains to my wildcard's domain cert

Hi! I thought upgrading Certbot from 0.27 to 1.27 would help a lot, but still I do have a hard time to get it to work. Let me explain the situation:

We have a multi-tenant web app so every new user, will need to be added to the certificate of the app's domain. This is a wildcard domain (*.domain.com) but now every time the certificate needs to be renewed, or whenever a new client needs to be added to the certificate, we need to add new TXT records to all the domains. For most of the domains we don't even have access to the domain so we need to call them, during the process of renewing, to add a TXT record.

Isn't there an easier way? Is this really working like expected? This is almost not manageable since the needed TXT records will also change everytime whenever I startup certbot to renew/expand.

The domains on the cert is looking like: *.webapp.com, sub.companyZ.com, sub.companyA.com, sub.companynameG.com

If you are looking to support customer domains, I think doing one certificate per customer domain, and authenticating them by HTTP rather than DNS, is probably the easiest thing.

What you are trying to do (a wildcard for your main domain + a normal FQDN for every customer domain) is made especially hard for you because Certbot doesn't really support mixing authentication methods for a single certificate (apart from with --manual auth hooks).

Nonetheless, for certificate management, it is going to be a lot less complicated to handle each customer domain separately. The downside of that approach is that you have to configure your webserver for each certificate, but how easy this is, varies. For example, haproxy and nginx have some pretty nifty ways to achieve this, without having to copy-paste virtual hosts.

See also what the integration guide says on the matter:

Our issuance policy allows for up to 100 names per certificate. Whether you use a separate certificate for every hostname, or group together many hostnames on a small number of certificates, is up to you.

Using separate certificates per hostname means fewer moving parts are required to logically add and remove domains as they are provisioned and retired. Separate certificates also minimize certificate size, which can speed up HTTPS handshakes on low-bandwidth networks.

On the other hand, using large certificates with many hostnames allows you to manage fewer certificates overall. If you need to support older clients like Windows XP that do not support TLS Server Name Indication (SNI), you’ll need a unique IP address for every certificate, so putting more names on each certificate reduces the number of IP addresses you’ll need.

For most deployments both choices offer the same security.

4 Likes

I requested for a separate certificate for the new domain (which is hosted/own by a client) and used the apache web server plugin for authentication. Now I did get the certificate without having to add anything.. Thats perfect, but I wonder why I do need to add records whenever I tried adding this domain to a certificate with a wildcard on it.

I will look up how to configure the server for separate SSL certificates for each third party domain. We are running on apache

We use Apache and ISPConfig and the vhost file of the app is looking like this:

Under <VirtualHost *:443>

<IfModule mod_ssl.c>
                SSLEngine on
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
              
                SSLHonorCipherOrder     on
                # <IfModule mod_headers.c>
                # Header always add Strict-Transport-Security "max-age=15768000"
                # </IfModule>
                SSLCertificateFile /var/www/clients/client10/web49/ssl/www.domain.com.crt
                SSLCertificateKeyFile /var/www/clients/client10/web49/ssl/www.domain.com.key
                                  SSLUseStapling on
                  SSLStaplingResponderTimeout 5
                  SSLStaplingReturnResponderErrors off
                      </IfModule>

                <Directory /var/www/domain.com/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client10/web49/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>

And all the tenant users/third party domains are listed under ServerAliasses.

Is this where I should configure each tenant domain? So like this:

<VirtualHost *:443>
 ServerName domain.com
 DocumentRoot /var/www/clients/client10/web49/web
 SSLEngine on
 SSLCertificateFile /path/to/domain.crt
 SSLCertificateKeyFile /path/to/domain.key
 SSLCertificateChainFile /path/to/domain.crt
</VirtualHost>

<VirtualHost *:443>
 ServerName domain.com
 ServerAlias sub.thirdpartydomain.com
 DocumentRoot /var/www/clients/client10/web49/web
 SSLEngine on
 SSLCertificateFile /path/to/thirdpartydomain.crt
 SSLCertificateKeyFile /path/to/thirdpartydomain.key
 SSLCertificateChainFile /path/to/thirdpartydomain.crt
</VirtualHost>