Support for sub-domains and wildcard certificates


#1

Hi,
We are interested in using LetsEncrypt but I am not sure will support our scenario. Let me explain.

We have a mixture of public facing and internal servers running Windows/Linux/Ubuntu. Some of these already have SSL certificates and DNS entries. For sake of arguments lets say our domain is ventureone.com.

  1. I want to know if LetsEncrypt allows me to cover this domain and sub-domains? For example, www.ventureone.com, mail.ventureone.com, docs.ventureone.com?

  2. Can LetsEncrypt handle two level sub-domain? For example, venture1.sales.ventureone.com, venture2.sales.ventureone.com. This is equivalent to a wildcard SSL which I know is not supported so is there away around it as I don’t think multi-domain SAN certificate supports a sub-domain of a sub-domain.

Thanks in advance for any help.


#2

Yes, you can get certificates for any subdomain combination. Note that you will have to pass the domain ownership challenge for each domain separately (i.e. passing the ownership challenge for simonbell.com does not automatically allow you to get certificates for any subdomain of simonbell.com). For internal servers that do not have a publicly accessible IP address, your best bet is probably the DNS-01 challenge type, which lets you verify domain ownership using a TXT record with a challenge token.

Certbot currently does not support this challenge type. My personal recommendation would be lego, as it has good documentation and a lot of available integration plugins for various DNS providers, allowing you to automate this challenge type. A number of other clients, such as the bash clients, support DNS-based challenges as well.

There are no limitations as to the “depth” of the domains included in your certificate - this should work. As long as you know the list of (sub)domains ahead of time, and you don’t need too many different domains covered, Let’s Encrypt would be fine for your use-case.

Some of the limits you should be aware of:

  • You can have up to 100 different FQDNs on the same certificate. As an example, you could have one certificate covering all domains from venture1.sales.simonbell.com to venture100.sales.simonbell.com.
  • You can get up to 20 certificates per week per registered domain (that would be simonbell.com in your example, so the TLD plus one DNS label). To pick up the previous example, you could get 20 certificates with 100 FQDNs per certificate, covering venture1.sales.simonbell.comventure2000.sales.simonbell.com in one week. Renewals do not count towards that limit, so in the following week you could add another 2,000 FQDNs.

#4

Good catch, thanks! Fixed it in my reply.


#5

hi pfg,

What about copying the keys to different servers? Once they are created can I do this or do i need to install create them on each server?


#6

Let’s Encrypt does not make any assumptions about how you’re going to deploy/share/copy your certificates and keys. The “end product” of the process are essentially two files (or three, if you count the intermediate certificate separately), and you can use them on as many servers as you want. Once you have your certificate, it’s no different from how things would work with a “regular” CA.

As an example use-case, it would be perfectly possible to have a centralized server for certificate management. This server might be responsible for solving the DNS challenge for your domains, storing the certificate and key files, and pushing them to your actual servers after issuance/renewal. This could be anything from a simple scp command followed by a remote configuration reload (to load the new certificate) to some kind of integration with your configuration management software if you use something like Ansible.


#7

Hi pfg,

So let say the certificates and keys are created on a centralized server and I have a pfx file. Can I import that pfx file to ‘Server Certiicates’ in IIS for a server mapped to one of the sub-domains listed in the certificate

Alternatively, I can create the certificate on the actual server if need be as well.

Sorry for all the question but traditionally we have purchased our SSL certificates so this is a bit of new way of thinking.

Thanks in advance.


#8

Yes, the certificates can be converted to pfx (most clients will create PEM files, so you’ll need to use something like openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem to do that) and imported in IIS. You can also use one of the dedicated Windows/IIS clients if you find a validation mechanism that works for your use-case - etsencrypt-win-simple, for example, can be used to automate this process.

Basically, once you pass the ownership challenge and get your certificate, you end up with the same set of files you’d get with any other CA. Your server software doesn’t really care about whether the certificate was issued by Let’s Encrypt or some other CA, it’s the same format. Any process that would work with a traditional CA should work with Let’s Encrypt as well.


#9

hi pfg,

Thanks for your continued support.

I already touched on to the “depth” of the domains LetsEncrypt can handle. In the past we have purchased a wildcard certificate for *.sales.domain.com. If my understanding is correct we would need to know the subdomains ahead of time when requesting the certificate. If we requested the certificate but then needed a certificate for subdomain not included in original certificate what would be the best option?


#10

Let’s Encrypt does not really dictate the preferred approach here, I would say it is up to you and your setup. Both issuing a new certificate including only the new subdomain and issuing a certificate that includes the existing subdomains plus the new one would increase your rate limit counter by exactly one. If you have a large number of subdomains, you’ll probably need to use larger SAN certificates with up to 100 domains each. If we’re only talking about a handful of subdomains with maybe 5 or 10 being added per month, you might be better off with one domain per certificate as that would keep things more manageable.


#11

Hi pfg,

Yes, you can get certificates for any subdomain combination. Note that you will have to pass the domain ownership challenge for each domain separately (i.e. passing the ownership challenge for simonbell.com does not automatically allow you to get certificates for any subdomain of simonbell.com).

If i list ventureone.com, docs.ventureone.com, mail.ventureone.com, sales.venture.ventureone.com in the certificate request how can i pass the domain ownership challenge? Would all of these domains have to map to the same server IP and would the request to be made from that server?

Thanks.


#12

It doesn’t matter what IPs the server(s) and client have as long as the correct challenge response is served. Assuming that the http-01 challenge is used then each server can serve the files for the domains it has or requests under /.well-known/acme-challenge/ can be redirected to one server that has all the files.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.