How think about multiple domains and certificates?
-
@viragomann Ok! So this is how I have set up all my third subdomain domains:
Am I even close or?
-
@swemattias
Looks well.The "Add ACL for certificate Subject Alternative Names" only make sense if it's a SAN certificate (multiple domains).
So if you have a cert for each single domain there is no need for this.As i see, you have Let's Encrypt certificates, I have 20 domains in a single certificate from LE.
-
@viragomann Ok thanks!
So I could add all my domains under the Domain SAN list in the certificate?
domain1.io
*.domain1.io
domain2.io
*.domain2.io
and so on.And then I use ACL in HAProxy to steer the incoming calls to the rigth server/service?
-
@swemattias you might want to save yourself a bit of work, and just use wildcard certs for your domains, that way you can use anything.domain1.io, etc.. and then a different wildcard for domain2.io etc..
This way nothing really to do with the certs if you want to add somethingelse.domain.tld etc. .
-
@swemattias
Yes, you're using wildcards. I don't know if wildcard + SAN (multiple wildcard domains) within a single certificate is even possible from LE. -
@johnpoz Sound like good idea, but there is a copy-button that a nifty feature. :)
So only add *.domian.io certificates.
So I have a few web servers for some of the domains, can I as an ACL rule say, domain.io and www.domain.io should go to this service? Even though using a *.domain.io? -
@viragomann yeah while you might be able to do something and otherthing.domainX.tld as sans in the same cert, I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN
-
@johnpoz said in How think about multiple domains and certificates?:
I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN
Yes, I have some different 2nd level domain within one, but I don't know if you get one with *.domain1.tld, *.domain2.tld, *.domain2.tld.
Presumably not. -
@viragomann that would be a security concern for sure! I can't believe they would allow doing that without some really strict controls that you do in fact control both domains.
I just don't see them allowing that.
-
@swemattias said in How think about multiple domains and certificates?:
can I as an ACL rule say, domain.io and www.domain.io should go to this service?
Yes, sure. Use the "hostname match" ACL.
Even though using a *.domain.io?
But as said above already, you need both domains in the certificate domain.io and *.domain.io, or even one cert for each domain.
*.domain.io is not valid for domain.io. -
@johnpoz
I didn't try so far. But tha't sounds plausible. -
Thank you @viragomann and @johnpoz for all your input and wisdom!
-
Have I found a bug in the Web GUI maybe?
I have 6 certificate's only 5 appear under Frontend SSL Offloading, Additional certificates.
