I’m the sysadmin of a webagency with about 20 developers. Every developer has it’s own virtual machine (debian 8, apache 2.4) which is available under {developer}.dev.example.com. Every project that is checked out runs under {project}.{developer}.dev.example.com. We have also a local dns server which maps all these domains.
What I’m trying to do now is create for every project for every developer a SSL Certificate.
here is my problem:
I already managed to create one certificate per developer with multiple subdomains which is validated on a public remote server (validate through http-01). But every time when a new project has been added I have to renew the certificate and this can be per developer. But the expand/renew limit is about 20 per week for the example.com domain and not for my subdomains.
Wildcards is not possible because I do not have access to a DNS with an API.
Can anybody help me what else I can do?
Hi,
thx for the answer, yes I’ve already tried something like this but then everyone has to trust this certificate per Browser. That will be eventually Plan Z
Since you are using domain mapper & need wildcard domains (http 01 is going to be painful)
Your options are limited…
You could, either try to get an API for your DNS (only for dev.example.com , means only allow edits on that host) or create your own CA / purchase wildcard certificate for each developer in your agency (which doesn’t even make a plan…)
Get an wildcard certificate by LE (even manually renew in 3 months) would be efficient (since http validation for each developer will hit rate limit…). It’s even better to combine all developer domains in one certificate… So you could only renew once and get all developer covered.
ok that means for me I’ve to create a cname for every developer (_acme-challenge.{developer}.dev.example.com) to another dns and then i can create a single certificate with all wildcard-names, did I understand that correctly? Sry I’m really new to that.
And when I install acme-dns for all those cnames (which will be eventually only one dns) this musst work for dns-validation?
for example:
_acme-challenge.dev1.dev.example.com
_acme-challenge.dev2.dev.example.com
…
Single Certificate:
*.dev1.dev.example.com
*.dev2.dev.example.com
…
Oh. If you need *.dev1.dev.example.com, this is going to be pretty painful. You are right that you will need to have a CNAME per ‘dev’.
I had assumed you only need a wildcard for *.dev.example.com.
I think you have the right idea in how it would work, but it might be more trouble than it’s worth. Depending how many developers you have, you may just end up being restricted by Let’s Encrypt’s rate limits.
Perhaps @stevenzhu’s advice about an internal CA is worth reconsidering.
Let’s Encrypt has a limit of 20 certificates per registered domain per week (your registered domain is example.com).
Your plan could be viable for 5 or 10 devs, but unlikely to be viable for 100.
If you have a lot of dev churn, one certificate may be a mistake.
If you have many employees, many certificates may be a mistake.
Keep in mind that if you use Let’s Encrypt for other purposes under example.com (for example, production websites and services), they will compete for that rate limit. Calculate the risk to your org.
But when I have one certificate with about 20 wildcards in it, then only one certificate will be registered is this true? Then I will have 19 certificates left per week theoretically?
We use it also for production example.com and nowhere else.
Thanks alot you helped me really well. I’ll try all these next week and maybe I’ll ask again some questions
Another question, now my limit for example.com is exceeded. So I have to wait until next Friday but when I’m trying with wildcards I will use acme-v2. Do I have to wait there also until friday or will there be an own limitation?
Oh, I didn’t realise you were asking about staging.
Yeah, you could set this up on ACME v2 staging right now no problem, and then just change it to production once your production rate limits have subsided.
All my DNS hosts have APIs so I’ve not personally used it before.
It’s a good project though and probably the easiest path of any choice you have. It also has a hosted version (auth.acme-dns.io) if you want to take it for a spin without spending a lot of time.