Edit: So for the _acme-challenge.test.com challenges I now need to add them to the domain.com DNS since now test.com points to the domain.com’s IP. So the remaining question is: how to add the generated certificates to server (apache2) without restart etc.
For the Control Panel on the VPS I use VestaCP which supports Let’s Encrypt SSL but not the wildcards (?yet).
You need to understand how DNS works (and then also how SNI and TLS works).
DNS
A CNAME merely forwards a DNS request from one name to another name; but it is still just a DNS request.
It will NOT change the name of the request.
So https://test.com/ will remain a request to https://test.com/ when it reaches the IP found for test.domain.com.
SNI
If you want the same site to be accessed for both test.com and test.domain.com you seek, then you will need to append the server name (or server alias) of test.com to the vhost config for test.domain.com.
TLS
When you reach a site that has a cert that doesn’t match the name, you will get a security alert [test.com NOT in cert (domain.com, *.domain.com)].
Thank you. Then if I add the server alias of test.com to test.domain.com, is there a way to generate a certificate just for test.com and have it appended on runtime to server? Without regenerating the one of domain.com to include test.com?
Sure, but if it's a separate certificate, your web server software will probably expect you to configure it as a separate virtual host, which might not be the way you would have expected to configure it.
At least not of the same type…
You can usually use an ECC and an RSA cert in the same vhost.
But if they are serving different names… Well that’s just going to create some major confusion.
Different names serving different content from the same IP was pretty much the reason for SNI.
Learn it, use it, and enjoy
But, if you want to serve the same content under different names, with different certs, many web servers may require you to make two separate virtual hosts (which might independently have the same configuration!). This is just because there commonly isn’t a way to specify two separate certificates within the same virtual host configuration, not because SNI couldn’t in principle allow the web server to figure out which certificate to use within a virtual host as opposed to the more common implementation approach of helping to select the appropriate virtual host.
One cert can only hold 100 entries.
Each entry could be a wildcard…
So you could do an infinite amount of domains from the same cert - only if they share the same base domains (limited to 100 unique base domains).
Note: wildcards don’t cover the base domain. If you also need to cover those, then it’s 50+50 (50 unique wildcard entries + 50 unique base domain entries) per cert.
So if you wanted to cover 1000 base domains and the matching 1000 wildcards…
You would need at least 20 certs and 20 vhost config blocks (one for each cert).
That can’t be, there has to be some automation as users will create many websites per day. How does Tumblr do it? Wordpress? Shopify? They are in the same scenario explained in the 1st post.
I’m a little unclear on your question; do you think you could clarify it a bit?
One issue is about Let’s Encrypt rate limits (how many certificates you can issue per week). In this case many of the large web sites that host per-customer subdomains have either obtained wildcards (which cover every customer subdomain with a single certificate), or rate limit exemptions (by explaining their issuance needs to Let’s Encrypt).
Another issue is about how a web server handles the existence of large numbers of distinct certificates. In this case the web server should be able to use SNI to pick the right certificate if the web server has been made appropriately aware of the existence of all of them. Popular servers like nginx and Apache already support SNI, but they usually support it in conjunction with virtual hosts, so that the server can pick an appropriate virtual host based on the hostname requested by the client using SNI.
If you have an extremely large number of separate certificates, you might need to consider whether you need some kind of customized software in order to scale up—but I have a feeling that nginx’s virtual host support is relatively scalable here.
In general, SNI is the core technology that allows multiple sites to share the same IP address, and it’s already supported by all modern web browsers and all modern web servers, and normally used automatically on every connection.
First thank you for helping! So I got it working with the following solution you guys gave me:
Create Virtual Host for the new domains but use the same <Directory> as domain.com - so same html/php files but allowing SSL for each domain. This can be automated by script.
Unfortunately, you must restart a web server whenever a cert, or a name, is added that is “new” to the system.
The good news is that you don’t have to do a hard stop/start.
Look into this: https://httpd.apache.org/docs/2.4/stopping.html#graceful
with the following solution you guys gave me: