Hello,
I have a LE cert issued by DNS challenge for remote.example.com to use on my win-server 2022 for remote desktop server setup.
I used win-acme menu guide me through to get the cert - but now I apparently need to add the FQDN of the server to the cert as a "SAN" - or alternative name.
- I presume I need to reissue the cert
- I could not see the option to add a SAN (is this part of "bindings?")
- This link appears to suggest just use wild card to get a cert for
*.example.com?[SOLVED] - ACME Certificate Can't Add Subject Alternative Names? | Proxmox Support Forum
Any guide on how to do this be appreciated - for example do I select the manual option?
Then do I need 1. Seperate cert for each domain 2.Seperate cert for each host 3. Seperate cert for each IIS site 4. Single Certificate
Etc
Thanks heaps
1 Like
Let's Encrypt always embeds all hostnames in the SAN, as mandated by the Baseline Requirements.
That said, I don't see any Let's Encrypt certificates for contoso.com at https://crt.sh/?deduplicate=Y&q=contoso.com?
2 Likes
contoso.com is like the foobar of domains - its a pseudo domain so I dont use my real one.
I have remote.example.com which is a public domain , but for what I am doing I need to add a alternative name for my server FQDN dc1.internal.example.com - I am not sure how to do this step.
I am using the winacme client with the command line menu.
1 Like
Hello @bigal_nz.
If you must redacted your domain name please see https://example.com/
as that is what example.com is for.
3 Likes
Welcome Back to the Let's Encrypt Community, @bigal_nz! 
I have modified contoso -> example. Nothing against you. Just per our community de facto standards. Hopefully we can help.
3 Likes
Apparently contoso is a commonly used fictional name by Microsoft. Who knew 
Anyway, @bigal_nz as you can guess the Windows experts have not yet posted
And, I am not one either. But, what was the initial command you used to get the prior cert?
Because wouldn't you just add the new name to the -host option which supports a comma delimited list of the names. I don't use win-acme myself I am just going by the docs which I just re-read.
4 Likes
Let's Encrypt TLS/SSL certificates are for fully qualified domain names (FQDNs) where the standard is that each (sub)domain name is included in the subject alternative name (SAN) set regardless of how many names (including only one). Technically the common name (CN) field has been obsolete for decades though some technologies still (IMO) erroneously utilize it. My personal standard/recommendation is to only include those names in a single cert that are aliases/redirects for the same content AND serviced by the same TLS/SSL termination point (e.g. example.com and www.example.com). For control panel services (e.g. cPanel), I also include things like mail.example.com since it aliases to the HTTP content for example.com, thus making it easy to acquire a certificate for the mail server using an HTTP-01 challenge. Having too many names on a cert can make the cert "brittle" by making service and renewal more complex/cumbersome/error-prone.
2 Likes
Huh Good to know. I'd heard the name before, just not in this way.
2 Likes
I personally don't recommend using wildcard certificates due to the need to satisfy a DNS-01 challenge to acquire a wildcard certificate, which can be more cumbersome and risky than simply satisfying a few HTTP-01 challenges for specific FQDNs.
3 Likes
Bindings are IIS settings related to names, IP addresses, and ports. You can serve the same certificate for multiple bindings. I'm gonna call upon two of our Windows cert experts to see if they have any input here. This is a volunteer community, so please be patient.
@webprofusion, @rmbolger
Anything you wanna add here?
2 Likes
Thanks Griffin for all your input.
I used the win-acme tool which presents the user with a list of options to generate a certificate, set the challenge method etc.
The issue I have is that I am not sure at what point I get to add the extra domain.
Either way remote.example.com and dc.internal.example.com are the same termination point (server/site)
If there was a one line command to execute the whole request I would use it, but as you may have guessed I am still new to all this so being led through it via a menu does help somewhat.
Thanks again
2 Likes
As @MikeMcQ mentioned, you can mention a list of FQDNs/hostnames (same thing here) to have them all included in the cert. You'll need to reference the win-acme docs for the syntax. I strongly recommend applying the guidelines I mentioned above for determining the "name split" of you certs. Make you life simple/robust.
2 Likes
Do both those domain names use the same webroot directory/folder for their content? If so, combining them into a single cert would probably simplify things. It's usually "installing" certs where the complexity is greatest.
2 Likes
Totally understandable. I designed my own ACME client (CertSage) for this very reason. 
2 Likes
Yes on IIS side of things they are the same folder and site. I can get a single cert - the step where I need to have a extra name is causing the headache.
The win-acme tool taking care I think of the IIS side of things is a big help.
1 Like
Check out the IIS plugin section in the win-acme manual for a good starting point. The link above is for the command-line parameters. The link below is more info for IIS.
2 Likes
The two gentleman I mentioned earlier are ACME client authors in their own rights and can offer you what might prove to be much easier solutions specifically for IIS. 
2 Likes
If I add a second domain name, ie dc1.internal.geekhelp.co.nz - then it also tries to validate that domain name - but its a LAN only address.
1 Like
Yeah. You can't satisfy an HTTP-01 challenge for a non-publicly-accessible (sub)domain name (i.e. that's not in public DNS). Notice that it's failing to lookup a public IPv4 (A) or IPv6 (AAAA) record for that internal domain name.
3 Likes
