SSL for other domains


#1

Hello, imagine this scenario:
domain.com *.domain.com (wildcard)

The configuration above works, there are SSL for the main site and all of the subdomains wildcard.

  1. Now imagine that on test.domain.com I created a website.
  2. Than I go and buy test.com and I want it to show the website at test.domain.com. To achieve that I go to the DNS of test.com and have the following lines changed:
    test.com. 300 IN A 100.100.100.100 # ip adress of domain.com
    www.test.com. 300 IN CNAME test.domain.com

Now test.com shows the website of test.domain.com but URL stays test.com.

How do I SSL test.com?

Thank you!

Edit: So for the _acme-challenge.test.com challenges I now need to add them to the domain.com DNS since now test.com points to the domain.com’s IP. So the remaining question is: how to add the generated certificates to server (apache2) without restart etc.

For the Control Panel on the VPS I use VestaCP which supports Let’s Encrypt SSL but not the wildcards (?yet).


#2

You need to understand how DNS works (and then also how SNI and TLS works).

DNS

A CNAME merely forwards a DNS request from one name to another name; but it is still just a DNS request.
It will NOT change the name of the request.
So https://test.com/ will remain a request to https://test.com/ when it reaches the IP found for test.domain.com.

SNI

If you want the same site to be accessed for both test.com and test.domain.com you seek, then you will need to append the server name (or server alias) of test.com to the vhost config for test.domain.com.

TLS

When you reach a site that has a cert that doesn’t match the name, you will get a security alert [test.com NOT in cert (domain.com, *.domain.com)].


#3

Thank you. Then if I add the server alias of test.com to test.domain.com, is there a way to generate a certificate just for test.com and have it appended on runtime to server? Without regenerating the one of domain.com to include test.com?


#4

Sure, but if it’s a separate certificate, your web server software will probably expect you to configure it as a separate virtual host, which might not be the way you would have expected to configure it.


#5

My site is the same virtual host but has different information based on the detected-sub-domain.domain.com or domain.

So just one virtual host domain.com, (*.domain.com is an alias of domain.com).


#6

The web server may not allow configuring two different certificates for the same virtual host, though.


#7

At least not of the same type…
You can usually use an ECC and an RSA cert in the same vhost.
But if they are serving different names… Well that’s just going to create some major confusion.
Different names serving different content from the same IP was pretty much the reason for SNI.
Learn it, use it, and enjoy :slight_smile:


#8

But, if you want to serve the same content under different names, with different certs, many web servers may require you to make two separate virtual hosts (which might independently have the same configuration!). This is just because there commonly isn’t a way to specify two separate certificates within the same virtual host configuration, not because SNI couldn’t in principle allow the web server to figure out which certificate to use within a virtual host as opposed to the more common implementation approach of helping to select the appropriate virtual host.


#9

What if I have an infinity of domains serving from the same IP, the same content? How to add SSL for them?

I’'ll read about SNI to find out more, thank you :slight_smile:


#10

One cert can only hold 100 entries.
Each entry could be a wildcard…
So you could do an infinite amount of domains from the same cert - only if they share the same base domains (limited to 100 unique base domains).

Note: wildcards don’t cover the base domain. If you also need to cover those, then it’s 50+50 (50 unique wildcard entries + 50 unique base domain entries) per cert.

So if you wanted to cover 1000 base domains and the matching 1000 wildcards…
You would need at least 20 certs and 20 vhost config blocks (one for each cert).


#11

That can’t be, there has to be some automation as users will create many websites per day. How does Tumblr do it? Wordpress? Shopify? They are in the same scenario explained in the 1st post.


#12

I don’t see how they are the same.
Maybe you could post some examples.


#13

I’m a little unclear on your question; do you think you could clarify it a bit?

One issue is about Let’s Encrypt rate limits (how many certificates you can issue per week). In this case many of the large web sites that host per-customer subdomains have either obtained wildcards (which cover every customer subdomain with a single certificate), or rate limit exemptions (by explaining their issuance needs to Let’s Encrypt).

Another issue is about how a web server handles the existence of large numbers of distinct certificates. In this case the web server should be able to use SNI to pick the right certificate if the web server has been made appropriately aware of the existence of all of them. Popular servers like nginx and Apache already support SNI, but they usually support it in conjunction with virtual hosts, so that the server can pick an appropriate virtual host based on the hostname requested by the client using SNI.

If you have an extremely large number of separate certificates, you might need to consider whether you need some kind of customized software in order to scale up—but I have a feeling that nginx’s virtual host support is relatively scalable here.

In general, SNI is the core technology that allows multiple sites to share the same IP address, and it’s already supported by all modern web browsers and all modern web servers, and normally used automatically on every connection.


#14

Some users have blogged about how they deploy many Let’s Encrypt certificates, but I’m not sure if those companies are among them.

Nginx users might be interested in OpenResty’s Lua SSL support.


#15

First thank you for helping! So I got it working :grinning: with the following solution you guys gave me:
Create Virtual Host for the new domains but use the same <Directory> as domain.com - so same html/php files but allowing SSL for each domain. This can be automated by script.

To be clear what the scenario was:
domain.com allows users to create websites under the username.domain.com
Then username wants to buy his own domain - username.com but wants the website from username.domain.com to show under username.com

Edit: I don’t know if it is possible to do this without restarting apache though.


#16

Unfortunately, you must restart a web server whenever a cert, or a name, is added that is “new” to the system.
The good news is that you don’t have to do a hard stop/start.
Look into this: https://httpd.apache.org/docs/2.4/stopping.html#graceful


#17

Awesome! Thank you very much! :smiley:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.