[BlueOnyx:23911] Re: 5209R/5210R: SNI support added to Dovecot

Thu May 28 23:47:53 -05 2020

Hi Michael,

> That is really great but brings up another question. Is there any chance of
> adding wildcard support to the Let's Encrypt certificates? That would allow
> the use of mail.domain.com or imap.domain.com without having to do any extra
> work. 

In general Let's Encrypt supports Wildcard certificates:

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

However, the validation process requires that the "DNS-01 challenge" is
used for authorization:

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation#812038

In essence that means you run the certbot or acme.sh client with
provisions that contact the ACME backend to get unique identifier string
that is associated with that request. You then take that string and
create a special DNS TXT record for the domain that you are requesting
the wildcard for.

Then the real cert request is run again via the certbot or acme.sh
client with the DNS-01 authentication method. They then check the DNS
for the TXT record and if it is present and matches, the wildcard cert
will be issued.

As you can see: This creates a whole gaggle of problems as far as
BlueOnyx is concerned.

If the BlueOnyx that requests the wildcard runs the authoritative DNS
server for the domain in question? Then we *could* possibly offer this
feature. If the DNS is hosted elsewhere, then we can't do it. At least
not automatically. If it cannot be automated, then it makes no sense,
because after 90 days the cert will expire, as we have no way of
automatically renewing it w/o updating the DNS TXT record again.

Our cert request/renewal mechanism is acme.sh and it supports DNS-01 and
has some plugins to make it interface with various DNS servers. But it
still would be pretty messy to try to somehow wiggle in third party DNS
server support into the whole request and renewal procedure.

> The only other option would be to add mail, pop, imap, smtp and any other
> sub-domains as web-server aliases.
Which you can already do and that works just fine.

Example:

The Vsite www.blueonyx.it has these "Web Server Aliases":

blueonyx.it
blueonyx.de
blueonyx.us
blueonyx.at
blueonyx.info
blueonyx.org.uk
raq550.com
www.blueonyx.de
www.blueonyx.us
www.blueonyx.at
www.blueonyx.info
www.blueonyx.org.uk
www.raq550.com

And it has a Let's Encrypt certificate that is valid for each and every
Web Server Alias that the Vsite www.blueonyx.it has. Let us examine the
cert with "openssl" and grep out the domains it is valid for:

[root at web /]# openssl x509 -in
/home/sites/www.blueonyx.it/certs/certificate -text -noout|grep
"DNS:"|sed "s at DNS:@@g"|tr -s ' '|sed "s@,@,\n at g"|sort

 blueonyx.at,
 blueonyx.de,
 blueonyx.info,
 blueonyx.it,
 blueonyx.org.uk,
 blueonyx.us,
 raq550.com,
 www.blueonyx.at,
 www.blueonyx.de,
 www.blueonyx.info,
 www.blueonyx.it,
 www.blueonyx.org.uk,
 www.blueonyx.us,
 www.raq550.com

And that renews automatically every 60 days without a hitch and was
configured through the GUI w/o any trickery.

How?

"Site Management" / <Vsite> / "Services" / "Web" under "Web Server
Aliases" I added all the aliases.

"Site Management" / <Vsite> / "SSL" -> click on "Let's Encrypt" button.

Initially it showed all the Web Server Aliases under "SSL domain
aliases" on the righthand side. Moved them all to the left to have them
included in the SSL certificate request.

Tick "Request or Renew Certificate" and save the changes.

That's all. That generated the SSL certificate and it's valid for both
www.blueonyx.it and all the aliases.

It issues and renews it automatically for all aliases as well, provided
the DNS for those aliases still points to the same Vsite and each of the
aliases can be correctly validated by ACME.

So yes: It's not a wildcard, but it serves its purpose and works out of
the box.

-- 
With best regards

Michael Stauber