Let's Encrypt alt names for panel cert?

    Hi,


    Is it possible to have the panel certificate support multiple alt names?


    So far I did it manually and was able to create the certificate with all needed alt names, now I switched to the plugin, but the automated plugin seems to give me no such option? Is there a way I haven't seen yet?


    Thanks!

    @Catscrash


    No, that is not possible at this moment. The plugin is for shared hosting where each customer can enable SSL for its domains or subdomains. There is one SSL lineage for each domain/subdomain.


    Which subject alternative names you would want to add? For which purpose?


    We could add support for subject alternative names but a customer would be restricted to names that are part of its domains.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Hi!


    I would like the customer to be able to call the panel using his own domain. Let's say I use


    panel.hosting8.example:4443


    but the customer has custdomain1.de and I want him to be able to use custdomain1.de:4443. nginx doesn't bind to a specific domain, so that's not an issue, but of course the not-matching certificate is not nice.


    This would be especially nice, since the webmailer runs here as well, so the customer could do a webmail.custdomain1.de -> custdomain1.de:4443/webmail redirect himself and have the "trusted" domain in the URL and not something unknown.


    Let's encrypt supports this, I used this like I said before manually (and you already use it for the www. alt names, so I guess part of it would already be ready in the code?), I think it would be enough, if there was like a text box where you could enter alt names for the certificate before the activation - I also think it would be enough if that would be possible for the panel, it would not be needed for the customer domain certificates.

    @Catscrash


    If I understand correctly, you want add each customer domain name as subject alternative name of the panel SSL certificate.


    Problem:

    • There is a limit of 100 SANs per certificate
    • Each time a new customer is added (new domain), the panel SSL certificate must be expanded). So here, if you add more than 20 customers in the same week, you'll hit the Certificates per Registered Domain Let's Encrypt limit (at least fot the panel domain name and later for other domains too, depending on number of names added in the certificate in the same week).

    Another thing:

    Quote from Catscrash

    nginx doesn't bind to a specific domain, so that's not an issue

    That not really true. This works only because currently, there is only one server defined on nginx side (the panel) which acts as a "catchall" (default vhost). In near future, nginx will be also available for customers, meaning more than one vhost and thus, the panel will not always be the default vhost.


    To resume: Your use case is something that we cannot really take into consideration. We are working with really big hosting compagnies for which such feature would be totally useless due to limitations listed above. As I understood, you want create a SAN SSL certificate containing customer domain names as subject alternative names but most of time, those domains are not known yet when the SSL certificate for the control panel is issued.


    So, here the only thing we can do is adding a textarea for subject alternative names but it will be available at admin level only, and only for the panel and services SSL certificates.


    Note also that if one domain doesn't points to your server (for any reasons) there will be a failure during SSL certificate issuance. There is a certbot option (--allow-subset-of-names) to ignore names for which there is a auth failure but we don't enable it by default. And doing a DNS check for all listed subject alternative names, as we currently do for customer domains, panel domain and system hostname would be a crazy thing. 99 subject alternative names would involves at least 99 DNS queries.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin

    So, here the only thing we can do is adding a textarea for subject alternative names but it will be available at admin level only, and only for the panel and services SSL certificates.


    that would be exactly the thing I would like, but I see and understand your concern. The limitations wouldn't be an issue for me, since it's quite small and I wouldn't hit either limit, but I get, that you have to look out for the big customers as well.


    Thanks for your post, and if you do plan to create such a text field in the future, I would be very happy ;-)

    @Catscrash


    Something like this would be sufficient for you?


    sans.png

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @Catscrash


    It is clear enought for you?


    sans.png


    Note that for the services SSL certificate, the www.XXXX SAN is added by default only if you use the domain as customer domain (or subdomain) and if you included www.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Crazy thing <X


    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support