[BlueOnyx:19342] Re: Let's Encrypt certificate generation/renewal problem.
Michael Stauber
mstauber at blueonyx.it
Thu Mar 17 02:39:54 -05 2016
Hi DD,
I wrote:
> If your web server aliases are not working, then this will fail. As this
> is known to happen from time to time on a BlueOnyx this would naturally
> cause the renewal to fail, too.
Speaking of web server aliases and Let's Encrypt: I just had another
case where a Vsite had about 20 web aliases. And during the SSL cert
request against Let's Encrypt it failed, as one of the domains used as
alias didn't resolve.
When you have such a long list of aliases, but "Web Server Alias
redirects" is ticked for the Vsite, then you really don't need to
request an SSL certificate with all bloody aliases, right?
Even better: When you request a certificate, you should be allowed to
specify which aliases you want included in the SSL certificate and which
not.
I'm currently working on a code update to base-ssl which will deal with
that.
By default the updated GUI page for Let's Encrypt cert requests will
therefore only request the cert for the FQDN of the Vsite and the
(short) domain name.
Example:
Vsite FQDN: www.company.com
Web Alias: company.com
So we will request a cert that matches both. If there are any additional
web aliases like 'mail.company.com' and so on, then they *can* be
included in the request.
That should make this a bit more resilient as well.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list