[BlueOnyx:24485] Re: Questions about LE and domain aliases

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Wed Nov 11 11:52:36 -05 2020 

Hello Michael,

thanks for the example.
Can you show me the <Virtualhost 443></Virtualhost> section from
/etc/httpd/conf/vhosts/site<nr> for this example?
Because yes, the names are in the certificate, I saw that too. But if the
names are not listed as ServerAlias in the https section of the site's
Apache configuration, then they don't help. Because then the site at
https://alias does not feel addressed. The point of having multiple names is
that redirection to the main domain works even if the alias is addressed via
https://.

Best regards,
Dirk

blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 

 
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Mittwoch, 11. November 2020 17:08
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:24483] Re: Questions about LE and domain aliases

Hi Dirk,

> in the automated LE Request I can add several domains names from the 
> list of domainaliases.
> 
> However it seems that this do not communicate with the ServerAlias in 
> the site<nr> <virtualhost> section for 443.
> 
> It seems that there is only the main hostname as servername and the 
> additional selected names in the LE request seems not correspond with 
> this setting.

I'm not sure if I understand your question. Could you please elaborate?

If you set web server aliases, then the aliases can be completely different
domain names as well.

See the attached image "aliases.png", which are the actual aliases of the
Vsite www.blueonyx.it

On the GUI page where the LE certificate is requested I have moved all these
aliases to the left in order to request their inclusion in the resulting SSL
certificate.

And finally see the image "cert.png", which shows which domain names the
resulting cert is valid for. And this has auto-renewed just fine ever since
I set it up that way a couple of years ago.

The LE-request page populates the list  of "SSL domain aliases" anew each
time you add or remove aliases. If you add an alias to the Vsite, it'll show
up in that list, although in inactive state and (if you wish to include it
in the certificate) you must move it to the left and request a new LE cert.

As for AdmServ: The LE cert of that indeed is only valid for the hostname of
the server. We *could* potentially make it valid for Vsites by making
requests that include the Vsite FQDNs.

However, a couple of things typically speak against it:

On 5210R with SNI now being available for both the MTA and Dovecot there is
not much of a reason to do so.

In the GUI itself under "Server Management" / "Maintenance" / "Server
Desktop" you can tick "Redirect to Server-Name", which eliminates the
certificate warning if someone accesses the GUI via www.vsite.com/login
instead of <server-name>/login

Lastly: There is a limit of how many domain aliases an LE certificate might
have. We quickly exceed that limit on a typical BlueOnyx if you figure in
web server aliases.

--
With best regards

Michael Stauber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5506 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20201111/4d9ef666/attachment.p7s>

More information about the Blueonyx mailing list