search

OSC / ondemand

Supercomputing. Seamlessly. Open, Interactive HPC Via the Web
https://openondemand.org/
MIT License
263 stars 98 forks source link

Multiple domains with multiple certificates for Apache2 TLS? #3552

Open cwaldbieser opened 1 month ago

cwaldbieser commented 1 month ago

Lafayette College and Swarthmore College are collaborating to create a combined HPC cluster. We'd like to deploy Open OnDemand such that users can use URLs with their home domain name. E.g. firebird.lafayette.edu or firebird.swarthmore.edu.

If I were setting up a generic web site with Apache2 httpd for this scenario, I'd probably set up 2 distinct VirtualHosts, each with their own ServerName. Each VirtualHost would have its own TLS cert which would be contributed by each member institution.

However, I'm not sure the OOD config lets me set things up this way? The docs seem to suggest that everything gets deployed under one virtual host and I could configure a ServerAlias setting for each domain. That would require that the public certificate has both domains on it (in the subject alternative names field). While that is possible, authorizing a certificate with domains from both institutions may prove to be somewhat challenging.

I wanted to make sure I am not overlooking an obvious way to set up multiple VirtualHosts for OOD or otherwise deploy 2 TLS protected domains for the same site.

johrstrom commented 1 month ago

Yea I don't think we support multiple virtual hosts. But as you indicate you can use ServerAliases (though we're patching that functionality right now in the next 3.1.x release).

If you're not married to the domain names maybe you could play some games with them like hpc.firebird-swarthmore.edu. & hpc.firebird-lafayette.edu that way you can jointly own the firebird-*.edu domains?

Of course 2 separate instances (VMs) is an option too.

Sorry we can't be much more help! @treydock do you have any more insight?

cwaldbieser commented 1 month ago

Thanks for confirming. I doubt our certificate registrar would issue a firebird-*.edu certificate to use-- I think some other .edus might object to that. ;) Running 2 separate instances is something to consider. Another thing that comes to mind would be to perhaps use multiple vhosts and certs on a proxy in front of the deployment, and merge those 2 requests into something a bit easier to manage on the back end. E.g. firebird.lafayette.edu -> fb-laf.lafayette.edu and firebird.swarthmore.edu -> fb-swa.lafayette.edu. It is easy enough for us to issue certs with multiple names that belong to a single institution.

treydock commented 1 month ago

You can create a CSR that uses Subject Alternative Names to have additional valid names. Example:

[root@web05 ~]# openssl x509 -noout -text -in /etc/letsencrypt/live/class.osc.edu/cert.pem
<SNIP>
Subject: CN = class.osc.edu
<SNIP>
            X509v3 Subject Alternative Name:
                DNS:class.osc.edu, DNS:stat.osc.edu

That certificate is good for both class.osc.edu and stat.osc.edu. So for OnDemand you create a cert with Subject Alternative Name that corresponds to additional aliases other than main virtual host ServerName.