How think about multiple domains and certificates?
-
-
@viragomann Thank you! That was the answer I was looking for. :)
Lasta question:
Do I need 2 certificates for each domain?
domain1.io
*.domain.ioOr is it enough with domain1.io, and HAProxty will understand what to do with sub.domain.io?
-
@swemattias said in How think about multiple domains and certificates?:
@viragomann Thank you! That was the answer I was looking for. :)
Lasta question:
Do I need 2 certificates for each domain?
domain1.io
*.domain.ioOr is it enough with domain1.io, and HAProxty will understand what to do with sub.domain.io?
domain1.io can be used exactly for this host name.
*.domain.io can be used for
host1.domain.io
host2.domain.io
and so on.This means it matches for any subdomain in the 3rd level.
But is wouldn't work for host.subdomain.domain.io.HAproxy it self can do nothing for that. It gets the SNI request and delievers the proper certificate. But you have to assign it to the frontend first.
-
@viragomann Ok! So this is how I have set up all my third subdomain domains:
Am I even close or?
-
@swemattias
Looks well.The "Add ACL for certificate Subject Alternative Names" only make sense if it's a SAN certificate (multiple domains).
So if you have a cert for each single domain there is no need for this.As i see, you have Let's Encrypt certificates, I have 20 domains in a single certificate from LE.
-
@viragomann Ok thanks!
So I could add all my domains under the Domain SAN list in the certificate?
domain1.io
*.domain1.io
domain2.io
*.domain2.io
and so on.And then I use ACL in HAProxy to steer the incoming calls to the rigth server/service?
-
@swemattias you might want to save yourself a bit of work, and just use wildcard certs for your domains, that way you can use anything.domain1.io, etc.. and then a different wildcard for domain2.io etc..
This way nothing really to do with the certs if you want to add somethingelse.domain.tld etc. .
-
@swemattias
Yes, you're using wildcards. I don't know if wildcard + SAN (multiple wildcard domains) within a single certificate is even possible from LE. -
@johnpoz Sound like good idea, but there is a copy-button that a nifty feature. :)
So only add *.domian.io certificates.
So I have a few web servers for some of the domains, can I as an ACL rule say, domain.io and www.domain.io should go to this service? Even though using a *.domain.io? -
@viragomann yeah while you might be able to do something and otherthing.domainX.tld as sans in the same cert, I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN
-
@johnpoz said in How think about multiple domains and certificates?:
I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN
Yes, I have some different 2nd level domain within one, but I don't know if you get one with *.domain1.tld, *.domain2.tld, *.domain2.tld.
Presumably not. -
@viragomann that would be a security concern for sure! I can't believe they would allow doing that without some really strict controls that you do in fact control both domains.
I just don't see them allowing that.
-
@swemattias said in How think about multiple domains and certificates?:
can I as an ACL rule say, domain.io and www.domain.io should go to this service?
Yes, sure. Use the "hostname match" ACL.
Even though using a *.domain.io?
But as said above already, you need both domains in the certificate domain.io and *.domain.io, or even one cert for each domain.
*.domain.io is not valid for domain.io. -
@johnpoz
I didn't try so far. But tha't sounds plausible. -
Thank you @viragomann and @johnpoz for all your input and wisdom!
-
Have I found a bug in the Web GUI maybe?
I have 6 certificate's only 5 appear under Frontend SSL Offloading, Additional certificates.
