SAN Cert with Domain Validation rather than Host Validation


#1

I’m trying to get a SAN Cert, but running into some problems. I’m using the following command:

./letsencrypt-auto certonly --standalone -d filter.domain.com -d domain.com -d cas2.domain.com

And it is able to validate filter.domain.com (the host I’m on), but not cas2.domain.com or domain.com which are currently in use elsewhere in my environment.

Is there anyway to get letsencrypt to take the validation for one host and use it for all hosts under that domain?


#2

Nope, that’s not possible. In many environments different hosts within a single domain are under the administrative control of totally different people or entities and we don’t currently have a way to confirm whether this is a case for a given domain or not. Sorry for the inconvenience!

You can take a look at threads talking about DNS validation challenges which would allow you to prove control of particular names by updating their DNS records rather than by making configuration changes on the associated hosts. Although this isn’t deployed yet, when it becomes available, it might be more convenient for your use case.


#3

Makes sense. Thank you.


#4

It should be possible. You could set up reverse proxies (using nginx for example) on cas2.domain.com and domain.com to forward requests for /.well-known/.acme-challenge to the filter.domain.com server.

Although if you use the names on separate hosts, what’s the benefit of a single SAN certificate over separate certificates?


#5

The cert would be used on one server, but I wanted to build it in advance so that I could switch over with no downtime.


#6

You should be able to redirect http://domain.com/.well-known/acme-challenge/* and http://cas2.domain.com/.well-known/acme-challenge/* to filter.domain.com and provide the challenge there for verification.