Server Certificate Manager

Feature
1

Hello to all,

Because I’m also a “Zentyal refugee” I must refer to another facility that not exist on NS: Server Certificate Manager.
Zentyal generate certificates for the main domain and also for every virtual domain that you create on the server (email domains in my case).

The certificate issued by NS is only for the main/initial Server name (hostname and domain) and works perfect.

But in case (my case) that you have other domains (email domains), the certificate is not valid (please see the images below).

Can Let’s Encrypt make this possible ?

"When Let’s Encrypt is enabled, the system will create and automatically renew:

- one certificate for server FQDN
- all enabled server alias will be added as SAN (https://en.wikipedia.org/wiki/SubjectAltName) to the FQDN certificate
- one certificate for each domain enabled inside the certificates database"

If YES, HOW?
What it means ***“inside the certificates database”***?

If NO, there is a workaround for this? HOW?

TIA,
Gabriel

0_Virtual Domains.PNG1280×1024 76.8 KB

0_CA.PNG1280×1024 85.8 KB

0_NS main host.PNG1280×1024 74 KB

0_NS virtual host.PNG1280×1024 87.5 KB

1 Like
2

You should refer to this wiki page: http://wiki.nethserver.org/doku.php?id=developer:letsencrypt

See “Certificate for server alias (optional)” section :wink:

3

Hi Giacomo,

Thank you for your answer.

I read what you wrote there but there are two different things (or not?):

  • server alias(es)
  • each domain enabled inside the certificates database

I thought that is not about server alias(es) because the virtual domains are not aliases for main domain (are not in NS → DNS → Server alias), there are individual/different domains. Or is it really about it and I misunderstand?

In this case, all email domains created in NS → Email → Domains will be “seen” by Let’s Encrypt as “server aliases” as is write here: “The FQDN certificate can be extended to be valid also for extra domains configured as server alias. This feature is called SubjectAltName (SAN)” and all those domains are “enabled inside the certificates database”?

EDIT:

I must to add all email domains also in NS → DNS → Server alias as is write here: “Create a server alias inside the DNS page, then enable Let’s Encrypt on the newly created record.” ?

But this will be OK? Will be not generate errors?

Sorry for those questions but I try to learn and understand.

TIA,
Gabriel

4

Basically you have two options:

  1. one certificate valid for one or more hostnames

  2. one certificate for each domain

  3. uses SAN, I choose it when I have different names for a server, like mail.example.org and server.example.org

  4. uses SNI. you will have many certificates, one for every host, that you should assign to relevant services

AFAIK, support for 2. has been removed from the package.
I think you need 2., we need to understand how to put back the code.
Am I right?

5

Hi Filippo,

Yes, you are right, I think I need 2.

The server is “mail.emailhosting.abt.ro”. On this server, are hosted different email domains which are not aliases for “mail.emailhosting.abt.ro”.
All domains are registered on our external DNS server (ns1.abt.ro) as FQDNs.

I think this will be usefull also for web hosting (let’s say “www.webhosting.abt.ro” with many www domains).

BR,

Gabriel