[kwlug-disc] Let's Encrypt

Nick Guenther nguenthe at uwaterloo.ca
Wed Jan 20 21:27:20 EST 2016 

On January 20, 2016 9:14:18 PM EST, "B.S." <bs27975 at yahoo.ca> wrote:
>Help me understand this.
>
>As far as I knew, every cert gets cross-checked back to the cert issuer
>for authenticity.
>
>If you use the same cert on different services, presumably with
>different names ... wha?
>
>(Not to say SNI isn't also the answer, but it doesn't seem intuitively
>so, here, for Bob's use case.)
>
>e.g. www.sobac.com, xmpp.sobac.com, myotherwww.sobac.com
>
>I can see a sobac.com cert, and a setup where sobac.com is
>authoritative for all 'domain' certs, but I'm guessing that takes some
>special setup, or options checkboxes, when creating the cert.
>
>Or a cert that's actually cert'ing one's own local CA?
>
>>________________________________
>> From: Raymond Chen <raymondchen625 at gmail.com>
>>To: KWLUG discussion <kwlug-disc at kwlug.org> 
>>Sent: Wednesday, January 20, 2016 2:17 PM
>>Subject: Re: [kwlug-disc] Let's Encrypt
>> 
>>
>>
>>I think the solution of your 'one cert to one web server' problem is
>SNI(Server Name Indication). On the server side, many web servers
>support that e.g. Apache. But it also requires browser support, here is
>a browser compatibility table I found: http://caniuse.com/#feat=sni
>>
>>
>>On Wed, Jan 20, 2016 at 12:31 PM, Bob Jonkman <bjonkman at sobac.com>
>wrote:
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>Has anyone used a single Let's Encrypt cert for multiple services?
>For
>>>example, I've got one domain, sobac.com which hosts e-mail, XMPP and
>a
>>>Web site. Is it possible to use the same cert for all those services
>>>under the same domain?
>>>
>>>Has the problem of virtual web servers been solved? Last I heard it
>>>was only possible to apply one cert to a web server. A web server
>that
>>>hosts multiple domains couldn't use a Let's Encrypt cert -- is this
>>>still true?
>>>
>>>I would like to see a presentation/demonstration on acquiring and
>>>installing a Let's Encrypt cert on a variety of services...
>
>
>_______________________________________________
>kwlug-disc mailing list
>kwlug-disc at kwlug.org
>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

For each h domain name you run the letsencrypt protocol again. But if you have vhosting you can do it all in one command:

$ letsencrypt standalone --certonly -d xmpp.sobac.com -d sobac.com -d www.sobac.com

The machine you run that on must be where DNS resolves to for all those domains, of course.

letsencrypt's tracker has requests for wildcard domains and sub-CAs, bit they are holding back on that. If they get it properly automated then the need for wildcard domains disappears, since its just an extra command line while you're sysadminning, and big services like tumblr can gen a cert when someone makes a new account.
-- 
Nick Guenther
4B Joint Stats/CS
University of Waterloo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20160120/ee1c8459/attachment.htm>

More information about the kwlug-disc mailing list