Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How think about multiple domains and certificates?

    Scheduled Pinned Locked Moved Cache/Proxy
    19 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swemattias
      last edited by

      So I have 3 domains that I want to have a certificate for and redirect to 3 different web servers on the inside.

      So I made a certificate for each domain,
      domain1-3.io
      *.domain1-3.io

      Issued a certificate for all 6 of them.

      Went to HAProxy and got a warning to use a shared frontend for multiple rules. Sure that makes sense, configured one and this is when I got to think... I had to specify one certificate of the six I have.

      Two things:

      1. Is it good/normal/safe to have domain1's certificate for domain3?
      2. Have I made too many certificates? Would it be enough with one from Cloudflare?

      I also found that I could add another SSL certificate. So domain2 has both the shared domain1 and it's own certificate.
      But that feels like pancake on pancake (hmm that Swedish saying doesn't make over to English...).

      Could some nice person here tell me how it should be done?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @swemattias
        last edited by

        @swemattias said in How think about multiple domains and certificates?:

        Went to HAProxy and got a warning to use a shared frontend for multiple rules.

        You get this warning, when you try to create an additional frontend to listen an the same IP + port combination as already in used.
        In this case you can create a shared frontend and add other rules to it. But you can also configure all your domains in a single frontend.

        Is it good/normal/safe to have domain1's certificate for domain3?

        That's whether good nor safe.
        You can assign multiple certificates to a single frontend. Go down in the settings, there is an option to state additional certificates.

        Have I made too many certificates? Would it be enough with one from Cloudflare?

        Basically you can put all domains into a single certificate if you have all at the same site. But as mentioned, you can also configure multiple per frontend.

        I also found that I could add another SSL certificate. So domain2 has both the shared domain1 and it's own certificate.
        But that feels like pancake on pancake (hmm that Swedish saying doesn't make over to English...).

        No need to care, HAproxy takes to correct matching certificate and delivers it to the client.

        johnpozJ S 2 Replies Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @viragomann
          last edited by johnpoz

          But that feels like pancake on pancake (hmm that Swedish saying doesn't make over to English...).

          What is wrong with pancake on top of pancake? A nice stack is tasty! ;) little butter and syrup between the layers - yummy ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          V 1 Reply Last reply Reply Quote 1
          • V
            viragomann @johnpoz
            last edited by

            @johnpoz
            😆

            1 Reply Last reply Reply Quote 0
            • S
              swemattias @viragomann
              last edited by swemattias

              @viragomann Thank you! That was the answer I was looking for. :)

              Lasta question:
              Do I need 2 certificates for each domain?
              domain1.io
              *.domain.io

              Or is it enough with domain1.io, and HAProxty will understand what to do with sub.domain.io?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @swemattias
                last edited by

                @swemattias said in How think about multiple domains and certificates?:

                @viragomann Thank you! That was the answer I was looking for. :)

                Lasta question:
                Do I need 2 certificates for each domain?
                domain1.io
                *.domain.io

                Or is it enough with domain1.io, and HAProxty will understand what to do with sub.domain.io?

                domain1.io can be used exactly for this host name.

                *.domain.io can be used for
                host1.domain.io
                host2.domain.io
                and so on.

                This means it matches for any subdomain in the 3rd level.
                But is wouldn't work for host.subdomain.domain.io.

                HAproxy it self can do nothing for that. It gets the SNI request and delievers the proper certificate. But you have to assign it to the frontend first.

                S 1 Reply Last reply Reply Quote 0
                • S
                  swemattias @viragomann
                  last edited by

                  @viragomann Ok! So this is how I have set up all my third subdomain domains:
                  pfsense sub domain config

                  Am I even close or?

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @swemattias
                    last edited by

                    @swemattias
                    Looks well.

                    The "Add ACL for certificate Subject Alternative Names" only make sense if it's a SAN certificate (multiple domains).
                    So if you have a cert for each single domain there is no need for this.

                    As i see, you have Let's Encrypt certificates, I have 20 domains in a single certificate from LE.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      swemattias @viragomann
                      last edited by

                      @viragomann Ok thanks!
                      So I could add all my domains under the Domain SAN list in the certificate?
                      domain1.io
                      *.domain1.io
                      domain2.io
                      *.domain2.io
                      and so on.

                      And then I use ACL in HAProxy to steer the incoming calls to the rigth server/service?

                      johnpozJ V 2 Replies Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @swemattias
                        last edited by

                        @swemattias you might want to save yourself a bit of work, and just use wildcard certs for your domains, that way you can use anything.domain1.io, etc.. and then a different wildcard for domain2.io etc..

                        This way nothing really to do with the certs if you want to add somethingelse.domain.tld etc. .

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        S 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @swemattias
                          last edited by

                          @swemattias
                          Yes, you're using wildcards. I don't know if wildcard + SAN (multiple wildcard domains) within a single certificate is even possible from LE.

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • S
                            swemattias @johnpoz
                            last edited by

                            @johnpoz Sound like good idea, but there is a copy-button that a nifty feature. :)

                            So only add *.domian.io certificates.
                            So I have a few web servers for some of the domains, can I as an ACL rule say, domain.io and www.domain.io should go to this service? Even though using a *.domain.io?

                            V 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @viragomann
                              last edited by

                              @viragomann yeah while you might be able to do something and otherthing.domainX.tld as sans in the same cert, I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @johnpoz
                                last edited by

                                @johnpoz said in How think about multiple domains and certificates?:

                                I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN

                                Yes, I have some different 2nd level domain within one, but I don't know if you get one with *.domain1.tld, *.domain2.tld, *.domain2.tld.
                                Presumably not.

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @viragomann
                                  last edited by

                                  @viragomann that would be a security concern for sure! I can't believe they would allow doing that without some really strict controls that you do in fact control both domains.

                                  I just don't see them allowing that.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @swemattias
                                    last edited by

                                    @swemattias said in How think about multiple domains and certificates?:

                                    can I as an ACL rule say, domain.io and www.domain.io should go to this service?

                                    Yes, sure. Use the "hostname match" ACL.

                                    Even though using a *.domain.io?

                                    But as said above already, you need both domains in the certificate domain.io and *.domain.io, or even one cert for each domain.
                                    *.domain.io is not valid for domain.io.

                                    1 Reply Last reply Reply Quote 1
                                    • V
                                      viragomann @johnpoz
                                      last edited by

                                      @johnpoz
                                      I didn't try so far. But tha't sounds plausible.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        swemattias
                                        last edited by

                                        Thank you @viragomann and @johnpoz for all your input and wisdom!

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          swemattias
                                          last edited by

                                          Have I found a bug in the Web GUI maybe?
                                          I have 6 certificate's only 5 appear under Frontend SSL Offloading, Additional certificates.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.