How to combine multiple wildcard and individual certificates into single file

Hi,

I am running my application in AWS. I need to deploy a certificate to AWS Certificate Manager (ACM) so that I can deploy it my load balancer. I can only deploy a single certificate. However, my platform hosts custom domains (which I provision using a standard cert with multiple domains: certbot -d example1.com example2.com) etc., as well as tenant domains provisioned as subdomains (site.example.com). These subdomain tenants I manage via a wildcard certificate. This wildcard certificate is provisioned via DNS TXT record validatation.

Hence I have 2 certificates - one for wildcard *.example.com, and one combining the custom domains. When I was hosting the application on a single node and didn't have to worry about an external LB, I simply had multiple virtual hosts configured in my Nginx config. However, since HTTPS terminates at the LB, I need to deploy a single cert to the load balancer. I believe my best option is to combine the certificates so I can deploy to the load balancer. To import the certificate, I need to copy / paste in the Certificate body, Certificate private key, and Certificate chain - optional.

Is it possible to combine these certs? If so - how? Perhaps I'm on the wrong lines? Any help gratefully received. Thanks in advance.

1 Like

Hi @VaguelyOnline, and welcome to the LE community forum :slight_smile:

No; You would need to obtain a new certificate with all the required entries in it.

5 Likes

Can't you use an AWS ACM cert in the LB? Then your LE cert is only used HTTPS between the LB and your origin server (if you even use https for that).

5 Likes

@rg305 Thanks for the response. Is it possible perhaps to:

  1. Obtain the wildcard cert using DNS verification
  2. Run certbot, with --cert-name referencing the cert provisioned above, and use the --expand option to add a new domain to the existing certificate

Would any of that work?

1 Like

Thanks for the response, but I think this misses the issue. I want to use Let's Encrypt to enable HTTPS for both wildcard (*.example.com), and also for other custom domains (other.com, other2.com), and since the load balancer will only allow me to import a single HTTPS certificate, I want to try and end up with a single certificate. That either means getting the certs separately and combining them, or somehow provisioning a cert with support for both domains.

If hopefully that's possible. Make sense?

I understand what you said but I think there is another way to achieve that. You can get a cert from AWS ACM instead of having to import one. The AWS cert supports wildcards and additional domain names. I was just offering it as an alternative.

5 Likes

I see - thanks for clarifying :-).
Yes your right that the ACM does support combination of wildcard and specific domains. Our particular problem is that whenever a customer decides they want a new custom domain, we can't add a domain to an existing certificate. We have to provision a new certificate, which (we think) seems to mean that we'll need to re-verify the domains over again. This could be awkward for our users, so I'm hoping that we will be able to work around this by having some process where we can manage it all using letsencrypt. It may be that we can make this work though using ACM is certbot / letsencrypt doesn't have a way of doing this that I can figure out :-).

Thanks agains for the thoughts and suggestion.

A1. Yes; DNS "verification" is required for wildcard certs.
A2. --cert-name with --expand will only "work" when that cert is already known [exists locally].
It will not work from any other system.
[If it could, I could expand your cert onto my system.]

5 Likes

You said you can only import one cert so Let's Encrypt will also require authentication for every domain in the single cert.

I'm not sure why authenticating should be a problem if you are managing the domains. But, you know your app best.

5 Likes

They are tenant domains for customers of our saas. So a client may like to have service.example.com as a subdomain so that their users logging in recognize the domain and it feels like a cohesive part of their service. Hope this makes sense.

Thanks. Yes, as a conceptual model. But, these can be designed in various ways. I was just making you aware of AWS ACM certs in case you hadn't seen them. You were wondering how to get LE certs to support your LB so I thought this might be easier approach. That's ultimately for you to assess.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.