search

alexalouit / ISPConfig-letsencrypt

Let's Encrypt support for ISPConfig
68 stars 23 forks source link

Let's Encrypt cert per VHOST/ALIAS vs one single cert for DEFAULT-SSL with all VHOST for small number of domains #23

Open WKnak opened 8 years ago

WKnak commented 8 years ago

Hi, this is a cross post with https://community.letsencrypt.org/t/include-server-ip-address-for-the-main-web-server-helps-with-non-sni-browsers/8531

I was thinking if Let's Encrypt can include the IP server for one domain (that one with most traffic) to help minimize impact on non SNI browsers? If so, maybe the ISPconfig should allow that (or alex plugin)...

I have one case where server has 5 domains, one with 20k page views per day, and the others together don't have 1k PER MONTH! So makes sense to include IP as part of the main CERT.

WKnak commented 8 years ago

I've found this response from LE engineer:

Certificate for public IP without domain name

I think the current Baseline Requirements norm is not to issue certificates for private (RFC 1918-reserved) IP addresses, while certificates for public IP addresses are still permitted. However, Let's Encrypt has decided not to issue certificates for bare IP addresses even if this would be permitted by the Baseline Requirements.

https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082/7

WKnak commented 8 years ago

I've just got a response¹ at LE community, that clarifies the questions a little bit... maybe for some cases with low new domains creations, let's say, one or two new domains in 3 months (LE expire time), it will be a good options NOT to create per VHOSTs certs... but allow ISPConfig to generate/renew a main - DEFAULT-SSL certificate to ALL VHOSTs together, specially if it was 10 or less...

So maybe the develpment of LE and ISPconfig integration should allow a "LE method", a per VHOST or SINGLE cert for host.

What about that?

¹ https://community.letsencrypt.org/t/include-server-ip-address-for-the-main-web-server-helps-with-non-sni-browsers/8531/3?u=wknak

WKnak commented 8 years ago

changed the question. A single cert for all vhosts on the same server eliminate problems with non SNI browsers.

WKnak commented 8 years ago

Another suggestion is to allow generation of a single cert to all domains and aliases of the same client.

alexalouit commented 8 years ago

Hi First, thank's for your support.

I don't think a single cert for all vhost/client is a good idea. ISPConfig support multiple server, one client could have multiple vhosts, on multiple servers, mirror or not (#5). It will be very hard to manage.

For IP base cert, Let's Encrypt don't support it.