Securing back end with Let's Encrypt - multiple aliases [Previously: StartSSL query]

Discussion in 'Installation/Configuration' started by FactionOne, Jun 20, 2017.

  1. FactionOne

    FactionOne Member

    I'm given to expect that I always make a mess of things; and both because of and in spite of this I get the feeling the mess I have been making is not realising that intended use is to run twice, first to issue then to install?

    Because I'm a bit compulsive about clean images, and I've done all sorts of dirty things to the installation I had, I'm going to restore my last image before trying again (I've got 4 duplicates left for the main domain's certificate issued via the panel integration so I figure it's worth it for 'cleanliness').

    Hoping it is just a case of "it's easy when you know how" :) - thanks for your reply. I'll report back [hopefully without one of my waffle-posts].

    Rob.
     
  2. sjau

    sjau Local Meanie Moderator

  3. FactionOne

    FactionOne Member

    Thanks! :)

    I was in the midst of running with just --issue (and keylength, dns, domains) as your reply came in; and as I'm sure you expected, the certificate was generated flawlessly :) --- So yes, I had been making a mess of it by not identifying that issue and install was a two pass deal! :oops:

    Anyway, I'm just about to do the --install-cert part, and I wonder if you would confirm my understanding that when installing the certificate, I only need specify one -d argument for the certificate's primary name, despite specifying other domains in the issue pass (in the install pass, it's more a filesystem location pointer than anything specific to the contents of the certificate)?

    i.e. Where I specified:
    Code:
    -d alpha.mydomain.co.uk \
    -d ftp.mydomain.co.uk \
    -d mail.mydomain.co.uk \
    -d ns1.mydomain.co.uk \
    -d webmail.mydomain.co.uk \
    with --issue, I only need to supply -d alpha.mydomain.co.uk when using --install-cert?

    Again, many and sincere thanks for your help.

    Rob.

    P.S. (I'm pretty broke at the moment, I'm embarrassed to say (though I guess running all this on 2x Raspberry Pi could be a clue!); but I solemnly promise to at least buy you a drink/pizza/similar via the donate page I saw in the wiki as soon as I can.)
     
  4. sjau

    sjau Local Meanie Moderator

    if you request a cert for multiple domains, it will be stored just as 1 cert and it will be stored in the folder named after the first -d hostname domains.

    E.g. if you run
    Code:
    -d domain.1.tld -d xxxdomain.tld -d 3rddomain.tld
    
    then it will be stored in
    Code:
    ~/.acme.sh/domain.1.tld
    
    so, for installation, you have have to provide the name of the first domainname used so that acme.sh knows which cert you want to install, in the above case:
    Code:
    amce.sh --install-cert -d domain.1.tld ....
    
    So as for your question:

    Yes, it's just --install-cert -d alpha.mydomain.co.uk

    What wiki? No need to donate something.
     
    Last edited: Jun 30, 2017
    FactionOne likes this.
  5. FactionOne

    FactionOne Member

    Thanks, that's as I thought :)

    Well, it's all working now...

    ISPConfig panel LE integration secures:

    mydomain.co.uk
    www.mydomain.co.uk

    Your excellent (once I used it right!) acme.sh doing DNS-01 for:
    alpha.mydomain.co.uk
    ftp.mydomain.co.uk
    mail.mydomain.co.uk
    ns1.mydomain.co.uk [not really required, but it is an alias of the same machine, so why not]
    webmail.mydomain.co.uk

    I've symlinked postfix/dovecot, and done the chain thing for pure-ftpd, and integrated that into my regen/restart script called by --reloadcmd.

    Checked mydomain.co.uk in browser, all secure :)
    ISPConfig panel at alpha.mydomain.co.uk:8080, all secure :)
    FilezillaFTP received [as expected] a chain of two certificates from pure-ftpd - my public and the CA, TLS connected, no errors, all secure :)
    I haven't got an SMTP/POP client on my machine at the moment, so I'll check those later, but I reckon they'll be good too :)

    Thanks very much for all your patient assistance! ...The server's just waiting a few minutes for a nice graceful shutdown so I can take an image :)

    Best regards,

    Rob.

    P.S. The wiki section of your github repo for acme.sh :) - and I will when I can!
    P.P.S. I might do a write-up of the whole shooting-match for Raspberry Pi, bare image, ISPConfig dependencies, ISPConfig setup, and securing everything with LE with certbot and acme.sh as I did; perhaps with optional steps for the secondary DNS server. - Maybe if I can't donate much that's a way to pass it on.
     
  6. sjau

    sjau Local Meanie Moderator

    I did not create acme.sh. I just wrote the DNS plugin for ISPConfig
     
  7. FactionOne

    FactionOne Member

    Ah! Another of my misunderstandings!

    Still, thank you nonetheless (actually, more so!) for all your help.

    Rob.
     
  8. sjau

    sjau Local Meanie Moderator

    I like acme.sh becuase it's written in pure shell script... and it's rather "simple" code... :)
     

Share This Page