LetsEncrypt question

Discussion in 'Installation/Configuration' started by Loveless, Apr 24, 2017.

  1. Loveless

    Loveless Member

    Assuming I will never host more than around 30 different domain names on a specific ISPConfig server (with just 1 IPv4 address),
    totalling to a maximum of around 95 certified names ( when all subdomains are counted, like mail.xname and somethingspecial.xname )
    is it safe to say that I can use just 1 big cert for all ?

    If so, such would ease my configuration by a huge margin.
    That way I can extend the one cert each time a new Client is added, and have Clients able to securely use
    mail.my-private-hosting-outfit.org as well as mail.clients-domain-name.org to access their mail.

    LetsEncrypt are not really saying this is either a good or bad idea, but I want to know what you guys think.
    Thanks in advance for possible assurance on this.
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I believe the limit is 100 names per certificate, so if you're sure you'll never exceed that, and other limits like the number of reissues you'll need to get this setup, then it would probably work. ISPConfig's gui can't manage the certificate, you'd be on your own for that, but it'd be a fairly simple script to write to read a static list of names to request in the certificate (or even a dynmaic list, reading domains from the db).
     
  3. Loveless

    Loveless Member

    OK, great! Any quick clues on how to disable the letsencrypt config/scripts ISPC fires off when a new site or email domain is created? Indeed, assuming I'll do this on my own, and will simply create symlinks for the cert entries in config, or have some template always dump the one cert name for all newly created vhosts, which is probably best. I can then link directly to /etc/letsencrypt from there. Since I will also have HSTS for all sites on the server (all TLS https only), I can pull this off with a custom /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master correct?
    (I'm only using nginx, no apache)
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    If you don't enable the LetsEncrypt checkbox for a website, ispconfig won't generate a certificate for it, so no need to disable anything there. Your approaches of symlinks or custom vhost template sounds sane; if you have other customizations you want across all sites then yes, a custom template is probably easiest. /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master sounds like the right name.
     
  5. sjau

    sjau Local Meanie Moderator

    The problem with so man names in a cert is that if for some reason one name fails, you won't get the cert and you have to reapply by removing that one domain from the list first. I wouldn't go that route if there i no real necessity.
     

Share This Page