Is it possible to "bundle" all certificates on a server?


#1

Hi,

I’m using letsencrypt/certbot for managing SSL certificates, and I must say I’m quite happy so far, since everything works nice and this is finally a relatively hassle-free way of getting free certificates.

I have several domains to manage, and each domain often has several subdomains. For the moment, I have one script per domain to automate the process. Here’s an example:

#!/bin/bash
#
# Create/renew SSL/TLS certificates for slackbox.fr.

DOMAIN="slackbox.fr"
DIRNAM="slackbox"
ENCRYPT="/usr/bin/certbot"
CHGRP="/usr/bin/chgrp"
CHMOD="/usr/bin/chmod"
CERTGRP="certs"
EMAIL="info@microlinux.fr"
OPTIONS="certonly \
         --preferred-challenges tls-sni-01 \
         --email $EMAIL \
         --renew-by-default \
         --agree-tos \
         --text \
         --standalone"

# Create $CERTGRP group 
if ! grep -q "^$CERTGRP:" /etc/group ; then
  groupadd -g 240 $CERTGRP
  echo ":: Added $CERTGRP group."
  sleep 3
fi

# Stop Apache
echo ":: Stopping Apache."
if ps ax | grep -v grep | grep httpd > /dev/null ; then
  /etc/rc.d/rc.httpd stop 1 > /dev/null 2>&1
  sleep 5
fi

$ENCRYPT $OPTIONS -d www.$DOMAIN -d $DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-secure/htdocs

$ENCRYPT $OPTIONS -d mail.$DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-webmail/htdocs

$ENCRYPT $OPTIONS -d compta.$DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-dolibarr/htdocs

# Fix permissions
echo ":: Setting permissions."
$CHGRP -R $CERTGRP /etc/letsencrypt
$CHMOD -R g=rx /etc/letsencrypt

# Start Apache
echo ":: Starting Apache."
/etc/rc.d/rc.httpd start

And here’s a similar script for a different domain. Note that I bought these two mainly to play around:

#!/bin/bash
#
# Create/renew SSL/TLS certificates for unixbox.fr.

DOMAIN="unixbox.fr"
DIRNAM="unixbox"
ENCRYPT="/usr/bin/certbot"
CHGRP="/usr/bin/chgrp"
CHMOD="/usr/bin/chmod"
CERTGRP="certs"
EMAIL="info@microlinux.fr"
OPTIONS="certonly \
         --preferred-challenges tls-sni-01 \
         --email $EMAIL \
         --renew-by-default \
         --agree-tos \
         --text \
         --standalone"

# Create $CERTGRP group 
if ! grep -q "^$CERTGRP:" /etc/group ; then
  groupadd -g 240 $CERTGRP
  echo ":: Added $CERTGRP group."
  sleep 3
fi

# Stop Apache
echo ":: Stopping Apache."
if ps ax | grep -v grep | grep httpd > /dev/null ; then
  /etc/rc.d/rc.httpd stop 1 > /dev/null 2>&1
  sleep 5
fi

$ENCRYPT $OPTIONS -d www.$DOMAIN -d $DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-secure/htdocs

$ENCRYPT $OPTIONS -d mail.$DOMAIN \
  --webroot-path /srv/httpd/vhosts/$DIRNAM-webmail/htdocs

# Fix permissions
echo ":: Setting permissions."
$CHGRP -R $CERTGRP /etc/letsencrypt
$CHMOD -R g=rx /etc/letsencrypt

# Start Apache
echo ":: Starting Apache."
/etc/rc.d/rc.httpd start

I simply put these scripts in /etc/cron.monthly on my server, and certificates are renewed every month. So far I’ve only been using SSL certificates for HTTPS, and this works fine.

For the last few days I’ve been experimenting with using these certificates for my mail server with Postfix and Dovecot. I’ve managed to get it to work perfectly, but I’ve come to a roadblock, because Postfix won’t let me configure different SSL certificates for different domains.

Here’s a very vague idea, and I confess I’m in new territories. here. Currently certificates are all stored under /etc/letsencrypt/live, in a series of directories, one per domain and/or subdomain. Here’s what this looks like on my sandbox server:

# ls -1 /etc/letsencrypt/live/
compta.slackbox.fr
mail.slackbox.fr
mail.unixbox.fr
www.slackbox.fr
www.unixbox.fr

And here comes the question (finally). Is it possible to bundle up all my certificate files on the server into one big file bundle that I could put in /etc/letsencrypt/live/bundle/ or a similar custom location?

Cheers from the sunny South of France,

Niki


#2

hi @kikinovak

In short as long as all your domains are with one Certificate Authority (e.g. LetsEncrypt) you can create a SAN certificate

A SAN certificate allows multiple domain names in one certificate

please note: you will still need to validate each domain however if the validations are done right you should be able to have one certificate for all your domains

a san example is below


#3

That worked. Thanks very much.


#4

Firstly, that would be possible obviously, with some scripting. You seem to have quite a good grip on that :wink:

But secondly: what would you gain by making such a bundle? Postfix does not support the SNI extension on their server part:

There are no plans to implement SNI in the Postfix SMTP server. (source)

So the alternative would be, for such a bundle to work, that Postfix just outputs all the certificates in the bundle to the client… But I’m quite sure Postfix isn’t that stupid?


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.