I am running my application in AWS. I need to deploy a certificate to AWS Certificate Manager (ACM) so that I can deploy it my load balancer. I can only deploy a single certificate. However, my platform hosts custom domains (which I provision using a standard cert with multiple domains: certbot -d example1.comexample2.com) etc., as well as tenant domains provisioned as subdomains (site.example.com). These subdomain tenants I manage via a wildcard certificate. This wildcard certificate is provisioned via DNS TXT record validatation.
Hence I have 2 certificates - one for wildcard *.example.com, and one combining the custom domains. When I was hosting the application on a single node and didn't have to worry about an external LB, I simply had multiple virtual hosts configured in my Nginx config. However, since HTTPS terminates at the LB, I need to deploy a single cert to the load balancer. I believe my best option is to combine the certificates so I can deploy to the load balancer. To import the certificate, I need to copy / paste in the Certificate body, Certificate private key, and Certificate chain - optional.
Is it possible to combine these certs? If so - how? Perhaps I'm on the wrong lines? Any help gratefully received. Thanks in advance.
Thanks for the response, but I think this misses the issue. I want to use Let's Encrypt to enable HTTPS for both wildcard (*.example.com), and also for other custom domains (other.com, other2.com), and since the load balancer will only allow me to import a single HTTPS certificate, I want to try and end up with a single certificate. That either means getting the certs separately and combining them, or somehow provisioning a cert with support for both domains.
I understand what you said but I think there is another way to achieve that. You can get a cert from AWS ACM instead of having to import one. The AWS cert supports wildcards and additional domain names. I was just offering it as an alternative.
I see - thanks for clarifying :-).
Yes your right that the ACM does support combination of wildcard and specific domains. Our particular problem is that whenever a customer decides they want a new custom domain, we can't add a domain to an existing certificate. We have to provision a new certificate, which (we think) seems to mean that we'll need to re-verify the domains over again. This could be awkward for our users, so I'm hoping that we will be able to work around this by having some process where we can manage it all using letsencrypt. It may be that we can make this work though using ACM is certbot / letsencrypt doesn't have a way of doing this that I can figure out :-).
A1. Yes; DNS "verification" is required for wildcard certs.
A2. --cert-name with --expand will only "work" when that cert is already known [exists locally].
It will not work from any other system.
[If it could, I could expand your cert onto my system.]
They are tenant domains for customers of our saas. So a client may like to have service.example.com as a subdomain so that their users logging in recognize the domain and it feels like a cohesive part of their service. Hope this makes sense.
Thanks. Yes, as a conceptual model. But, these can be designed in various ways. I was just making you aware of AWS ACM certs in case you hadn't seen them. You were wondering how to get LE certs to support your LB so I thought this might be easier approach. That's ultimately for you to assess.
