One issuer server for multiple servers


#1

Hello,

Is there an option to install “Let’s Encrypt” on one server and it issues a certificate for multiple servers?
I assume the server will ask for CSR of other servers and it’ll generate public & private keys.

Thanks.


#2

You can use the “manual” method (whereby you provide the CSR of other servers) yes.


#3

Even in manual mode there’s no explicit need to generate your own CSR: the Let’s Encrypt client can do that for you. Granted, if you’ll generate all the private keys and CSR’s on those other servers, it’ll save you the hassle of transferring the privkey.pem safely from the Let’s Encrypt client to those other server in the case you let the client handle everything. But it is possible :wink:


#4

Thanks a lot for the quick respond!
Is there any guide that explains about the manual method process?
What steps should I take to create the certificates?


#5

There is a detailed description at https://www.tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html of using manual mode if that helps.


#6

Sorry for the stupid question, but can you tell me where should I add [SAN] configuration?
For example:

[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.net,DNS:www.example.net

Maybe at: /etc/pki/tls/openssl.cnf ?


#7

Yes it would need to go into the openssl.cnf file - you can always copy the default file to an alternate file - see http://wiki.cacert.org/FAQ/subjectAltName


#8

Depends on your distribution. On my Gentoo it’s found in /etc/ssl/openssl.cnf


#9

Alright, I understood.
So I can create a new openssl.cnf file that contains the specific content, for example:

[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ san ]
subjectAltName=${ENV::SAN}

Am I right?


#10

Yes, and then you can use that specific config file with openssl by using the -config your_config_file.cfg option.


#11

I received the following error:

ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/4xKGIQeGfUexEHDaN66bGijM-4HUH4dwPQiqQQFLUJQ/1503077 (Status 400)

Do you know what is it?


#12

[quote=“asaf, post:11, topic:6562”]
Do you know what is it?
[/quote]Do provide what command line you used.


#13

./letsencrypt.sh -config config.sh


#14

Sorry, I thought you were following the manual method as explained in https://www.tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html

and that you were trying (originally to do the step)

openssl req
-new -newkey rsa:2048 -sha256 -nodes
-keyout privkey1.pem -out signreq.der -outform der
-subj “/C=UK/ST=Some State/L=Some Place/O=example.com/emailAddress=webmaster@example.com/CN=example.com
-reqexts SAN

since you were asking about the SAN. My comment about the -config was on that line ( for openssl) and not the LE scrypt.


#15

Ahh… alright,
By the way, I’ve tried to do the manual method but It didn’t worked for me.

I added;

[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.net,DNS:www.example.net

to the openssl.cnf file and edit config.sh file to point on openssl.cnf file.
Then I wrote in the command line:

openssl req
-new -newkey rsa:2048 -sha256 -nodes
-keyout privkey1.pem -out signreq.der -outform der
-subj “/C=UK/ST=Some State/L=Some Place/O=example.com/emailAddress=webmaster@example.com/CN=example.com
-reqexts SAN

and I received the following error:

Error Loading request extension section SAN


#16

Where does config.sh come from? :question:


#17

https://www.tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html doesn’t mention any config.sh file, so I have no idea what the config.sh file you edited was, but I don’t think it has anything do so with the openssl command, hence the openssl command has (I’m assuming) no idea about the local “openssl.cnf” file you created defining SAN. Hence you are getting the error loading the section “SAN”.


#18

OK… so where should I add:
[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.net,DNS:www.example.net

??


#19

You can either add it to your main openssl.cnf file, or you can copy / create a new openssl conf file ( possibly called openssl-mydomain.cnf )

If you add it to the correct openssl.cnf file - you can use the openssl command as above ( with obviously changing the values for subject, keys etc). If you created openssl-mydomain.cnf then you will need to add -config openssl-mydomain.cnf onto the openssl command when generating the key and a Certificate Signing Request


Using one (1) SAN certificate with multiple servers (without hitting rate limit)
#20

Thank you very much!