Different certfiles for different domainnames?

nickjj / ansible-letsencrypt

Install and auto-renew SSL certificates with Let's Encrypt and Ansible.

MIT License

29 stars 9 forks source link

Different certfiles for different domainnames? #1

Open ScuttleSE opened 7 years ago

ScuttleSE commented 7 years ago

If I understand this role, if I have multiple domains in letsencrypt_domains, i.e letsencrypt_domains [ example.com, example2.com ]

It will create one cert that is valid for both domains. Is there an easy way to instead create separate certs for each domain, besides running the role multiple times and setting letsencrypt_domains in the playbook?

nickjj commented 7 years ago

You could make a list of lists and have the role go through that in a loop.

But if you're going through the trouble of wanting to keep domain separately, I would set letsencrypt_domains at the inventory/playbook level for each domain.

ScuttleSE commented 7 years ago

Ah, well, the thing is that I have one nginx-server that acts as a reverse proxy for several applications behind that, so I serve about half a dozen or so different domains from one nginx-server.

Just doing separate lines in the playbook works, but something neater would be nice :)

You could make a list of lists and have the role go through that in a loop.

Hm, so something like this in the playbook would work?

letsencrypt_domains:
   [ example.com ]
   [ example2.com ]
   [ example3.com ]

nickjj commented 7 years ago

I have the same set up as you.

What I did was configure nginx to use the same certificate for each of those sites (my nginx roles lets you override the certificate name).

Would that work for you instead of going down the route of separate LE runs?

ScuttleSE commented 7 years ago

Well, yeah, that would work, but wouldn't that mean that if you look at the cert for example.com, you can see that it is also valid for example2.com, example3.com etc?

nickjj commented 7 years ago

Yes, if someone inspected your certificate you would see each domain.

ScuttleSE commented 7 years ago

Mm...that's something I would like to avoid, but just running the role multiple times isn't a real problem, so I'll stick with that for now :)

ScuttleSE commented 7 years ago

This setup works just fine fyi

- hosts: proxy_server
  roles:
    - role: nginx-letsencrypt
      letsencrypt_domains: [example.org, www.example.org]
    - role: nginx-letsencrypt
      letsencrypt_domains: [example.se, www.example.se]