[GTALUG] SSL Certs for both web and email servers

William Witteman wwitteman at gmail.com
Thu Dec 3 14:14:24 EST 2020 

Thanks for your help!

I have not yet set the redirects from http -> https, but the result
was achieved *much* more easily than I would have expected.

I have an existing cert that I set up as a standalone, which dovecot
has been using happily for a few years.  I did not know that I could
expand what that cert covers, but the good people at EFF have made
this very easy.

I used this command and it Just Worked(TM):

sudo certbot -d
comma,separated,list,of,each,domain,and,subdomain,including,the,ones,already,in,place
--expand

And after a moment, all of my domains and subdomains are under the
single umbrella that I already had.

Note that the above list includes three different domains and a half
dozen subdomains, all of which seem to just work now.

Thanks again!

On Tue, 1 Dec 2020 at 06:37, ac via talk <talk at gtalug.org> wrote:
>
> On Tue, 1 Dec 2020 03:34:06 -0500
> John Sellens via talk <talk at gtalug.org> wrote:
> > On Tue, 2020/12/01 08:16:49AM +0200, ac via talk <talk at gtalug.org>
> > wrote: | > I have three domains and a small but invariant number of
> > subdomains | > that I want to encrypt - should I try to pull them all
> > under one SSL | > cert, or do one for each domain, or one for every
> > subdomain?  I don't | > need a wildcard, but I would like something
> > relatively painless if | > possible.
> > |
> > | yes, in your case, and for painless and easy, just use the domain
> > name | and one cert. so, instead of mail.example.com and
> > www.example.com | - just use example.com.
> >
> > I think that might cause client complaints in some cases.
> >
> imho i do not think with three domains this will be an issue.
>
> what is the point of having mail.example.com if the IP number for
> mail.example.com is the same as example.com ? the same can be asked
> about imap.example.com and pop.example.com etc.
>
> This is just wasteful and increases the risk of issues, ads complexity
> and does not serve any "real" technical, logical or functional purpose.
>
> The reason why mail.example.com used to be prevalent - pre container -
> was because mail.example.com - was at a different IP number / different network
> even...
>
> And, actually even if you had 100 domains on one server: reducing
> complexity, reducing the amount of DNS lookups and reducing pebcac,
> reducing comms, reducing traffic, reducing load and reducing wastage -
> means:
>
> You are making it easier for clients
>
> And : You are even saving cycles, saving electricity, saving network
> traffic and TOOOTEROOO:
>
> Saving the planet
>
> in case you did not know: In 2020 - 2030 - we will still get the vast
> majority of our power from non sustainable fossil sources. so, we
> should all try to be less wasteful, mind you, now with Alaska being
> strip mined and auction sold, the planet has a lot more to waste.
>
> > I think letsencrypt now provides wildcard certifications, but you
> > can use mutliple -d options when creating or updating a certificate
> > e.g.
> >
> >   certbot certonly \
> >     --non-interactive \
> >     --expand \
> >     --webroot \
> >     -w /var/www/html/letsencrypt \
> >     --cert-name www.example.com \
> >     -d example.com \
> >     -d mail.example.com \
> >     -d blog.example.com
> > And then the one certificate is valid for all those names.
> >
> a small number of invariant sub domains usually means
> www.example.com, pop.example.com, mail.example.com,
> imap.example.com and in this case - x3 domains
>
> but, one could also wildcard (*) just simply -d *.example.com and add
> _acme-challenge TXT record to example.com dns zone
> (auth: preferred-challenges=dns - when you apply for cert)
>
> depending on your resources and very importantly, your dns servers
> timeouts, rate_limits and other issues, there could be pain/risk with
> multiple/many -d every 90 days
>
> > Hope that helps - letsencrypt is really remarkably convenient.
> >
> indeed it is.
>
> > John
> > ---
> > Post to this mailing list talk at gtalug.org
> > Unsubscribe from this mailing list
> > https://gtalug.org/mailman/listinfo/talk
>
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

More information about the talk mailing list