I have two separate servers using the same domain name with separate prefixes, one doing some app stuff and one doing filesharing. Using the autocert package how can I just configure the cert manager to produce a certificate that I can use on both servers?
Add both domains to the cert manager white list:
certManager := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("domain.me", "filesharing.domain.me"), //Your domain here
Cache: autocert.DirCache("certs"), //Folder for storing certificates
}
and add two A records to the DNS:
Related
I have an active SSL cert for "domain.com" that is hosted on Server1. If I have a mail service that is hosted on Server2 and uses the same domain root, "#domain.com", would I be able to use the same cert? Or do I need to buy a second SSL for the same domain on the mail server?
Your certificate's SAN (Subject Alternative Name) should either contain both of the target domains or a wildcard domain like *.domain.com.
Additionally, the private key must be copied from server 1 to server 2.
If you follow the suggestions above, you should be good to go.
For a project I'm working on I will have multiple servers and lots of subdomains (eg- *.mydomain.example). I'm thinking of getting this SSL cert from godaddy- Unlimited Subdomains (Wildcard) $199.99/yr
Will I be able to use the cert on all the servers or do I need to buy a cert for each server since they each have a unique IP address?
Certificates are bound to a hostname (or wildcard hostname), so you're fine using the same cert on multiple machines.
However, when requesting a certificate, you usually create a private key on one of the servers. This private key needs to be copied to all machines in addition to the actual certificate that you receive.
One scenario is where you have www.domain.example resolving to an IP of a load-balancer, which in turn forwards the traffic to multiple servers. In that case, you only need a certificate for www.domain.example that you copy (with the private key) to all servers in your cluster.
I`m using elastic 2.2.0 with shield 2.2, 10 nodes cluster. I need to enable ssl in Elastic for Kibana to work with shield and I got troubled on the certification signing part.
I do not have a wild card certificate so I cant sign just one csr in node and copy it to all other nodes, I tried to use letsencrypt (with the elastic tutorial) and sign a certificate with common name of node1 and alternative names of node2-10 and copy it to all other nodes (of course I firstly created domains for all 10 servers and pointed it to node1, sign the csr, then pointed all the 9 to the right server), it didn't work and I got a lot of "bed certificate" exceptions in the nodes log.
As I said, I need ssl for kibana to work with shield, and for secure connections in general, and I planning to add some more nodes to the cluster...
How can I manage to do so?
What would be the best architecture for that purpose?
The problem was that I tried to use the certificates on private ip seeds of nodes, and as the documentation says (its not possible):
If you use a commercial CA, the DNS names and IP addresses used to identify a node must be publicly resolvable. Internal DNS names and private IP addresses are not accepted due to security concerns.
If you need to use private DNS names and IP addresses, using an internal CA is the most secure option. It enables you to specify node identities and ensure node identities are verified when nodes connect. If you must use a commercial CA and private DNS names or IP addresses, you cannot include the node identity in the certificate, so the only option is to disable hostname verification.
So the solution is to use the certificate only for outside requests (like kibana UI) by setting in elasticsearch.yml:
shield.transport.ssl: false
shield.http.ssl: true
I am running an Apache web server and I have supposed to put 2 SSL cert on a single website. Is this possible? how can I do this? I read the apache user manual and it says I only can have 1 SSL cert for a single IP and port.
After the comments from the OP:
Setup two subdomains - one for static/to be CDN'd content and one for dynamic/not to be CDN'd content.
Get + setup a "wildcard cert" for your domain i.e. a cert for "*.yourdomain.com"... these are a bit more expensive but exactly for your situation...
As Yahia points out. A wildcard cert is an option. They are also expensive.
You can certainly have multiple named SSL certs on your server for images.domain.com and static.domain.com or whatever named sites you want and that is not a security issue. In fact, that is considered more secure than a wildcard cert.
It is true that you can only have one named cert per IP. Because SSL certs are bound to the IP in the web server config. So you would need to have multiple IP addresses on the server hosting the sites. If the dynamic and static content are already on different machines, then you're set there, but it sounds like they are on the same machine.
That doesn't mean that the ports need to be different between the site. You can have both 123.45.67.89 and 123.45.67.88 listening on the same port (443 in this case) on the same machine.
Here is a post I found that looks like it describes the config pretty well.
http://wiki.zimbra.com/wiki/Multiple_SSL_Virtual_Hosts
I am not sure if I need a basic or wildcard certificate and how many.
1) I assume 1 certificate goes in 1 server - so if I have 2 web servers then i need 2 certificates?
2) From what I read wildcard is only needed for subdomains. But what about if i have the same main domain but just use subdomains for multilanguage? like my site is say www.xxx.com and when someone is viewing it in british english i change it to: uk-eng.xxx.com
In the above case will a basic certificate work or is this a wildcard?
Two web servers usually have different host names (if it's not a cluster). So you need protect both host names.
An HTTP certificate protects the host name, so a certificate for "www.xxx.com" is only for this domain. Wildcard allows subdomains, i.e. "*.xxx.com" allows all names e.g. "www.xxx.com" and "uk-eng.xxx.com", but more expencive, however you can use the same certificate on several servers.
One certificate is usually needed per domain, not per server (one cert can cover more than one domain, hence "usually"). For multiple subdomains you would need a wildcard certificate.
If you are not sure, the best idea is to contact CA's support and ask them what they can offer you. Different CAs have different offers for cases like yours.
JFYI: Standard single-domain certificate is usually issued for "domain.com" and "www.domain.com" (so it covers a domain and one of it's subdomains).