[BlueOnyx:24483] Re: Questions about LE and domain aliases

Michael Stauber mstauber at blueonyx.it
Wed Nov 11 11:07:41 -05 2020 

Hi Dirk,

> in the automated LE Request I can add several domains names from the
> list of domainaliases.
> 
> However it seems that this do not communicate with the ServerAlias in
> the site<nr> <virtualhost> section for 443.
> 
> It seems that there is only the main hostname as servername and the
> additional selected names in the LE request seems not correspond with
> this setting.

I'm not sure if I understand your question. Could you please elaborate?

If you set web server aliases, then the aliases can be completely
different domain names as well.

See the attached image "aliases.png", which are the actual aliases of
the Vsite www.blueonyx.it

On the GUI page where the LE certificate is requested I have moved all
these aliases to the left in order to request their inclusion in the
resulting SSL certificate.

And finally see the image "cert.png", which shows which domain names the
resulting cert is valid for. And this has auto-renewed just fine ever
since I set it up that way a couple of years ago.

The LE-request page populates the list  of "SSL domain aliases" anew
each time you add or remove aliases. If you add an alias to the Vsite,
it'll show up in that list, although in inactive state and (if you wish
to include it in the certificate) you must move it to the left and
request a new LE cert.

As for AdmServ: The LE cert of that indeed is only valid for the
hostname of the server. We *could* potentially make it valid for Vsites
by making requests that include the Vsite FQDNs.

However, a couple of things typically speak against it:

On 5210R with SNI now being available for both the MTA and Dovecot there
is not much of a reason to do so.

In the GUI itself under "Server Management" / "Maintenance" / "Server
Desktop" you can tick "Redirect to Server-Name", which eliminates the
certificate warning if someone accesses the GUI via www.vsite.com/login
instead of <server-name>/login

Lastly: There is a limit of how many domain aliases an LE certificate
might have. We quickly exceed that limit on a typical BlueOnyx if you
figure in web server aliases.

-- 
With best regards

Michael Stauber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aliases.png
Type: image/png
Size: 24551 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20201111/2efa1e82/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: le-request.png
Type: image/png
Size: 71352 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20201111/2efa1e82/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert.png
Type: image/png
Size: 94829 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20201111/2efa1e82/attachment-0002.png>

More information about the Blueonyx mailing list