How think about multiple domains and certificates?

swemattias · Jan 6, 2023, 2:24 PM

@viragomann Ok! So this is how I have set up all my third subdomain domains:

Am I even close or?

viragomann · Jan 6, 2023, 2:32 PM

The "Add ACL for certificate Subject Alternative Names" only make sense if it's a SAN certificate (multiple domains).
So if you have a cert for each single domain there is no need for this.

As i see, you have Let's Encrypt certificates, I have 20 domains in a single certificate from LE.

swemattias · Jan 6, 2023, 2:47 PM

@viragomann Ok thanks!
So I could add all my domains under the Domain SAN list in the certificate?
domain1.io
*.domain1.io
domain2.io
*.domain2.io
and so on.

And then I use ACL in HAProxy to steer the incoming calls to the rigth server/service?

johnpoz · Jan 6, 2023, 2:49 PM

@swemattias you might want to save yourself a bit of work, and just use wildcard certs for your domains, that way you can use anything.domain1.io, etc.. and then a different wildcard for domain2.io etc..

This way nothing really to do with the certs if you want to add somethingelse.domain.tld etc. .

viragomann · Jan 6, 2023, 2:54 PM

@swemattias
Yes, you're using wildcards. I don't know if wildcard + SAN (multiple wildcard domains) within a single certificate is even possible from LE.

swemattias · Jan 6, 2023, 2:57 PM

@johnpoz Sound like good idea, but there is a copy-button that a nifty feature. :)

So only add *.domian.io certificates.
So I have a few web servers for some of the domains, can I as an ACL rule say, domain.io and www.domain.io should go to this service? Even though using a *.domain.io?

johnpoz · Jan 6, 2023, 2:57 PM

@viragomann yeah while you might be able to do something and otherthing.domainX.tld as sans in the same cert, I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN

viragomann · Jan 6, 2023, 3:02 PM

@johnpoz said in How think about multiple domains and certificates?:

I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN

Yes, I have some different 2nd level domain within one, but I don't know if you get one with *.domain1.tld, *.domain2.tld, *.domain2.tld.
Presumably not.

johnpoz · Jan 6, 2023, 3:05 PM

@viragomann that would be a security concern for sure! I can't believe they would allow doing that without some really strict controls that you do in fact control both domains.

I just don't see them allowing that.

viragomann · Jan 6, 2023, 3:08 PM

@swemattias said in How think about multiple domains and certificates?:

can I as an ACL rule say, domain.io and www.domain.io should go to this service?

Yes, sure. Use the "hostname match" ACL.

Even though using a *.domain.io?

But as said above already, you need both domains in the certificate domain.io and *.domain.io, or even one cert for each domain.
*.domain.io is not valid for domain.io.

viragomann · Jan 6, 2023, 3:11 PM

@johnpoz
I didn't try so far. But tha't sounds plausible.

swemattias · Jan 6, 2023, 3:34 PM

Thank you @viragomann and @johnpoz for all your input and wisdom!

swemattias · Jan 6, 2023, 4:04 PM

Have I found a bug in the Web GUI maybe?
I have 6 certificate's only 5 appear under Frontend SSL Offloading, Additional certificates.