What is the best way for creating SSL Certificates on multiple local Domains?


#1

Hello,

I’m the sysadmin of a webagency with about 20 developers. Every developer has it’s own virtual machine (debian 8, apache 2.4) which is available under {developer}.dev.example.com. Every project that is checked out runs under {project}.{developer}.dev.example.com. We have also a local dns server which maps all these domains.
What I’m trying to do now is create for every project for every developer a SSL Certificate.

here is my problem:
I already managed to create one certificate per developer with multiple subdomains which is validated on a public remote server (validate through http-01). But every time when a new project has been added I have to renew the certificate and this can be per developer. But the expand/renew limit is about 20 per week for the example.com domain and not for my subdomains.
Wildcards is not possible because I do not have access to a DNS with an API.
Can anybody help me what else I can do?

I hope you understand my problem :sweat_smile:


#2

Hi,

In this case, have you tried to create a local trusted CA? (Just trust by local devices)

Follow this guide to create one…
https://jamielinux.com/docs/openssl-certificate-authority/

P.S. I’m not that person who created this guide…

Thank you


#3

Hi,
thx for the answer, yes I’ve already tried something like this but then everyone has to trust this certificate per Browser. That will be eventually Plan Z :sweat_smile:


#4

Okay…

Since you are using domain mapper & need wildcard domains (http 01 is going to be painful)

Your options are limited…

You could, either try to get an API for your DNS (only for dev.example.com , means only allow edits on that host) or create your own CA / purchase wildcard certificate for each developer in your agency (which doesn’t even make a plan…)

Get an wildcard certificate by LE (even manually renew in 3 months) would be efficient (since http validation for each developer will hit rate limit…). It’s even better to combine all developer domains in one certificate… So you could only renew once and get all developer covered.

Thank you


#5

Perhaps you can CNAME _acme-challenge.dev.example.com to another domain to which you have API access.

This would allow you to automatically issue wildcard certificates while avoiding changing your internal infrastructure in any meaningful way.


#6

Yeah when I get it work with dns then I will use only one certificate for all devs.
Which DNS Api can you recommend for this?


#7

When I create this cname will this work for all sub-subdomain?


#8

All the CNAME would achieve would be to enable you to delegate the DNS challenge to another DNS provider.

It also means that you need a second domain and an account with a DNS provider with an API (such as Cloudflare).

That specific CNAME would be sufficient to issue certificates for:

  • dev.example.com
  • *.dev.example.com

Since the latter is a wildcard, it would work for any subdomain of dev.example.com.

https://github.com/joohoi/acme-dns may also be of interest with you, take a look at the README.


#9

ok that means for me I’ve to create a cname for every developer (_acme-challenge.{developer}.dev.example.com) to another dns and then i can create a single certificate with all wildcard-names, did I understand that correctly? Sry I’m really new to that.

And when I install acme-dns for all those cnames (which will be eventually only one dns) this musst work for dns-validation?

for example:
_acme-challenge.dev1.dev.example.com
_acme-challenge.dev2.dev.example.com

Single Certificate:
*.dev1.dev.example.com
*.dev2.dev.example.com


#10

Oh. If you need *.dev1.dev.example.com, this is going to be pretty painful. You are right that you will need to have a CNAME per ‘dev’.

I had assumed you only need a wildcard for *.dev.example.com.

I think you have the right idea in how it would work, but it might be more trouble than it’s worth. Depending how many developers you have, you may just end up being restricted by Let’s Encrypt’s rate limits.

Perhaps @stevenzhu’s advice about an internal CA is worth reconsidering.


#11

I think it could work my plan now will be:

  • Create a single certificate for every dev
  • This will only renew every 90 days
  • Every time we get/loose a dev i have to add/remove the cname and expand the certificate

Then I hopelly run into no Limit is this correct?


#12

It depends how many developers you have.

Let’s Encrypt has a limit of 20 certificates per registered domain per week (your registered domain is example.com).

Your plan could be viable for 5 or 10 devs, but unlikely to be viable for 100.

If you have a lot of dev churn, one certificate may be a mistake.

If you have many employees, many certificates may be a mistake.

Keep in mind that if you use Let’s Encrypt for other purposes under example.com (for example, production websites and services), they will compete for that rate limit. Calculate the risk to your org.


#13

But when I have one certificate with about 20 wildcards in it, then only one certificate will be registered is this true? Then I will have 19 certificates left per week theoretically?

We use it also for production example.com and nowhere else.


#14

Yes, it will only count as 1/20. As long as you don’t need to re-issue it often, you should be OK.

You could also:

  • have a policy of only re-issuing the certificate on Mondays
  • pre-sign the certificate for dev1 through 100, even if you don’t have 100 devs yet, so you don’t need to update the cert when new devs rock up

Sounds like you’ve got a good plan anyway.


#15

Thanks alot you helped me really well. I’ll try all these next week and maybe I’ll ask again some questions :sweat_smile:

Another question, now my limit for example.com is exceeded. So I have to wait until next Friday but when I’m trying with wildcards I will use acme-v2. Do I have to wait there also until friday or will there be an own limitation?


#16

The rate limits are independent of version/shared between ACME v1 and v2. You’ll need to wait no matter what.

The one exception is the “300 New Orders per account per 3 hours.” limit, because it only exists in the v2 API.


#17

OK but when I configure all my DNS and get it work with staging this should theoretically also work with production?


#18

Oh, I didn’t realise you were asking about staging.

Yeah, you could set this up on ACME v2 staging right now no problem, and then just change it to production once your production rate limits have subsided.


#19

Ah ok perfect thx

Do you have already used acme-dns? Or would you suggest another tool?


#20

All my DNS hosts have APIs so I’ve not personally used it before.

It’s a good project though and probably the easiest path of any choice you have. It also has a hosted version (auth.acme-dns.io) if you want to take it for a spin without spending a lot of time.

EFF recently had a blog post that talks about acme-dns and other options: https://ssd.eff.org/en/blog/technical-deep-dive-securing-automation-acme-dns-challenge-validation