We’ve been using a PositiveSSL Multi-Domain Cert for some years, and that’s been working fine. Under that Cert, we have, for instance:
etc., with a total of 5 different domains.
Now, since we’re going to expand our domain base and that the current Cert is expiring, we’re looking closely at Lets-Encrypt.
Before I get into this, however, I’d like to know a couple of things:
(1)- does every subdomain (mail. www., etc.) as well as their main respective domain have to be listed in the main certificate? I’m mainly asking that because (a) that was my original understanding, and (b) the verification stage with Lets-Encrypt will differ (preferred-challenges=dns instead of by default apache-based), which will lead me to add DNS records for each domain/subdomain.
(2)- if it is indeed needed (and if I have no choice but use preferred-challenges=dns, at the time of the next Cert renewal (i.e. < 90 days), should the DNS records still have to be present? I’m asking this because last time I left the DNS records after creation, the mail server couldn’t be reached anymore after the DNS propagation time. I’m pretty sure that it was because of my bad setup, but it’s a risk I prefer to avoid taking.
(3)- if I’m missing here of you have a better advice to give me, let me know.
Happy to hear you're evaluating Let's Encrypt I hope it works out for your use-case!
Yes, every domain name that the certificate will be used for has to be included. Let's Encrypt will validate each of the domain names in the certificate so all of them will require DNS records to be added if you are using DNS-01 validation.
It will be required to re-validate the domains every 90 days. This will require adding a new TXT record each time. Leaving the old TXT records from a previous validation will not work, the value changes each time.
Thanks a lot for your reply, @cpu. I understand that a little better now. I definitely want to use Let’s Encrypt, the only issue is me/my limited understanding here, not the product .
One last question: when using a SSL certificate for mail.domain1.com, the only way to validate it is through DNS-01 validation, is that right? The Apache-validation (or any other way) wouldn’t work, I suppose?
You don't have to use DNS-01 There is also HTTP-01 and TLS-SNI-01 challenge types. If you already have an Apache instance running I recommend using HTTP-01. If you don't have a webserver on the machine that runs mail.domain1.com you can still use HTTP-01 - Certbot has a feature called "standalone" mode where it can start up a small purpose built webserver to answer HTTP-01 challenges to provision a certificate.
Thanks, @cpu. The server that’s hosting all domains and subdomains in question is indeed running an Apache server. I did try to validate all subdomains running on the Apache web server with HTTP-01, and it worked very well, as advertised.
The only thing I couldn’t not validate, however, (well, I did not succeed in validating) was the mail. subdomain. You mean to say that I can do HTTP-01 challenge validation even though mail. is a mail, i.e. SMTP/IMAP server? I didn’t think it was possible. Could you send me some pointers on how to make this work?
To use HTTP or TLS-SNI validation on a non-web server, you would run something like:
certbot certonly --standalone -d mail.example.com
You still need to have port 80 or 443 open in your firewall to use this method, but you need no server running on those ports.
I’m not sure which port certbot uses by default. If you only want to open one port you can specify the challenge type explicitly, e.g. --preferred-challenges http to use port 80 or --preferred-challenges tls-sni to use port 443.