Multiple sites using the same set of SSL files

Discussion in 'ISPConfig 3 Priority Support' started by gbe, Jun 26, 2016.

  1. gbe

    gbe New Member HowtoForge Supporter

    Hi,
    I have a dozen or so websites on a server that are all sub-domains on the same base domain. For example:
    • www.example.com
    • wiki.example.com
    • blog.example.com
    • ispconfig.example.com
    • etc
    All these websites use the same SSL cert - I have a wildcard SSL cert that covers *.example.com. When I renew my wildcard cert every year, I have to update a bunch of websites. This is tedious and I'd like to reduce the admin wherever I can. So is there a way (through configuration, or symlinks, or whatever) that I can set up all these sites to reference the same set of SSL files (cert, key and bundle)? I'd like to be able to update those files just once, and then all the sites simply begin using the renewed cert.
    Is this possible?
    Many thanks
    Geoff.
     
    Last edited: Jun 26, 2016
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you can replace the SSL cert files with symlinks.
     
  3. gbe

    gbe New Member HowtoForge Supporter

    Thanks @till for this. Some questions arise:
    1. So if multiple different sites (who would all be different users like web27:client1 and web34:client1) all had symlinks to the same set of files, would they all have permissions to read them?
    2. Under what user should the primary files be created? Can they be owned by root?
    3. When it is time to update the cert, would I just need to update the SSL details on one of the sites through ISPConfig for this change to reflect on all sites? In other words, would an update to one of the sites obey the symlinks, updating the primary files?
    4. Would such a setup survive a Resync?
    5. I'm also thinking about establishing new sites with the same symlinks... is there a process in the creation of a new site where ISPConfig can fire a custom script? Or would I need to create the symlinks manually each time a site is created?
    Thanks in advance
    Geoff.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    1) No, ssl certs are owned by root.
    2) root
    3) No, you have to do the cert managemanet manualy then, dont touch the ispconfig ssl settings as this will likely break the symlink setup.
    4) I'm not sure, it might survive but you should test this with one site first.
    5) Create a small custom server plugin that subscribes for the website insert event.
     
  5. gbe

    gbe New Member HowtoForge Supporter

    Thanks @till for that. I will give it a go. Do you have any pointers to server plugin resources or examples?
     
  6. sjau

    sjau Local Meanie Moderator

    Do you need a wildcard cert? If not, ISPC 3.1 offers automated ssl cert from Let's Encrypt.
     

Share This Page