• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How think about multiple domains and certificates?

Scheduled Pinned Locked Moved Cache/Proxy
19 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    swemattias @viragomann
    last edited by Jan 6, 2023, 2:24 PM

    @viragomann Ok! So this is how I have set up all my third subdomain domains:
    pfsense sub domain config

    Am I even close or?

    V 1 Reply Last reply Jan 6, 2023, 2:32 PM Reply Quote 0
    • V
      viragomann @swemattias
      last edited by Jan 6, 2023, 2:32 PM

      @swemattias
      Looks well.

      The "Add ACL for certificate Subject Alternative Names" only make sense if it's a SAN certificate (multiple domains).
      So if you have a cert for each single domain there is no need for this.

      As i see, you have Let's Encrypt certificates, I have 20 domains in a single certificate from LE.

      S 1 Reply Last reply Jan 6, 2023, 2:47 PM Reply Quote 0
      • S
        swemattias @viragomann
        last edited by Jan 6, 2023, 2:47 PM

        @viragomann Ok thanks!
        So I could add all my domains under the Domain SAN list in the certificate?
        domain1.io
        *.domain1.io
        domain2.io
        *.domain2.io
        and so on.

        And then I use ACL in HAProxy to steer the incoming calls to the rigth server/service?

        J V 2 Replies Last reply Jan 6, 2023, 2:49 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @swemattias
          last edited by Jan 6, 2023, 2:49 PM

          @swemattias you might want to save yourself a bit of work, and just use wildcard certs for your domains, that way you can use anything.domain1.io, etc.. and then a different wildcard for domain2.io etc..

          This way nothing really to do with the certs if you want to add somethingelse.domain.tld etc. .

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          S 1 Reply Last reply Jan 6, 2023, 2:57 PM Reply Quote 0
          • V
            viragomann @swemattias
            last edited by Jan 6, 2023, 2:54 PM

            @swemattias
            Yes, you're using wildcards. I don't know if wildcard + SAN (multiple wildcard domains) within a single certificate is even possible from LE.

            J 1 Reply Last reply Jan 6, 2023, 2:57 PM Reply Quote 0
            • S
              swemattias @johnpoz
              last edited by Jan 6, 2023, 2:57 PM

              @johnpoz Sound like good idea, but there is a copy-button that a nifty feature. :)

              So only add *.domian.io certificates.
              So I have a few web servers for some of the domains, can I as an ACL rule say, domain.io and www.domain.io should go to this service? Even though using a *.domain.io?

              V 1 Reply Last reply Jan 6, 2023, 3:08 PM Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @viragomann
                last edited by Jan 6, 2023, 2:57 PM

                @viragomann yeah while you might be able to do something and otherthing.domainX.tld as sans in the same cert, I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                V 1 Reply Last reply Jan 6, 2023, 3:02 PM Reply Quote 0
                • V
                  viragomann @johnpoz
                  last edited by Jan 6, 2023, 3:02 PM

                  @johnpoz said in How think about multiple domains and certificates?:

                  I really doubt if you go do onething.domain1.tld and otherthing.domain2.tld in the same cert as SAN

                  Yes, I have some different 2nd level domain within one, but I don't know if you get one with *.domain1.tld, *.domain2.tld, *.domain2.tld.
                  Presumably not.

                  J 1 Reply Last reply Jan 6, 2023, 3:05 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @viragomann
                    last edited by Jan 6, 2023, 3:05 PM

                    @viragomann that would be a security concern for sure! I can't believe they would allow doing that without some really strict controls that you do in fact control both domains.

                    I just don't see them allowing that.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    V 1 Reply Last reply Jan 6, 2023, 3:11 PM Reply Quote 0
                    • V
                      viragomann @swemattias
                      last edited by Jan 6, 2023, 3:08 PM

                      @swemattias said in How think about multiple domains and certificates?:

                      can I as an ACL rule say, domain.io and www.domain.io should go to this service?

                      Yes, sure. Use the "hostname match" ACL.

                      Even though using a *.domain.io?

                      But as said above already, you need both domains in the certificate domain.io and *.domain.io, or even one cert for each domain.
                      *.domain.io is not valid for domain.io.

                      1 Reply Last reply Reply Quote 1
                      • V
                        viragomann @johnpoz
                        last edited by Jan 6, 2023, 3:11 PM

                        @johnpoz
                        I didn't try so far. But tha't sounds plausible.

                        1 Reply Last reply Reply Quote 0
                        • S
                          swemattias
                          last edited by Jan 6, 2023, 3:34 PM

                          Thank you @viragomann and @johnpoz for all your input and wisdom!

                          1 Reply Last reply Reply Quote 0
                          • S
                            swemattias
                            last edited by Jan 6, 2023, 4:04 PM

                            Have I found a bug in the Web GUI maybe?
                            I have 6 certificate's only 5 appear under Frontend SSL Offloading, Additional certificates.

                            1 Reply Last reply Reply Quote 0
                            19 out of 19
                            • First post
                              19/19
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received