Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard Lock Certificates #129

Open
jasongill opened this issue May 30, 2020 · 5 comments
Open

Wildcard Lock Certificates #129

jasongill opened this issue May 30, 2020 · 5 comments
Labels
enhancement New feature or request

Comments

@jasongill
Copy link

We have one domain with a lot (hundreds) of subdomains like customername.blognetwork.com which is used for users to access their blog login before they have pointed a CNAME to us; users then each have their own domain like myblog.customername.com. We use lets-proxy2 to listen on :443 at the IP that all of the *.blognetwork.com and customer sub-domains share, and it works well to issue certificates.

The problem we've run into is that since lets-proxy2 just re-issues a new certificate for each subdomain, we run into the 50 subdomain limit from lets-encrypt quickly and most users can't use customername.blognetwork.com to log in. Using their real subdomain is fine (but they have to set it up first, which can be troublesome).

Previously we used a hack I wrote (see #125 ) to force a fallback wildcard certificate (from a commercial certificate vendor) to be used, but I want to do away with this hack. I see the lock certificates feature you created and it works well to load our commercial certificate - but we must duplicate the wildcard certificate (and lock file) for each customer subdomain, it cannot be done automatically/dynamically.

Would it be possible to add support for wildcard lock certificates? This way, we could just "lock" the entire *.blognetwork.com domain to use the commercial wildcard certificate, instead of having to make customer1.blognetwork.com.lock, customer2.blognetwork.com.lock, etc

I am happy to contribute a small amount of $ to help get this feature added if needed. Thank you!
@rekby
Copy link
Owner

rekby commented May 30, 2020

If you have commercial wildcard certificate - why do you need lets-proxy?

You can use nginx with wildcard.

@jasongill
Copy link
Author

Because we also host customer domains that we don't / can't buy commercial certificates for. Basically we have 1 domain that we want to use a wildcard certificate (lock) with, and all other domains go through letsencrypt. We have the customers just set

myblog CNAME customername.blognetwork.com

in their dns, so that their blog works on either myblog.customerdomain.com (SSL with letsencrypt) or secondary / for getting started at customername.blognetwork.com (SSL with commercial *.blognetwork.com since letsencrypt limits to 50 sub domains and lets-proxy2 doesn't request wildcards from letsencrypt)

@rekby
Copy link
Owner

rekby commented May 30, 2020

Yes, I understand your scenario.

I will think how to do it simpler interface.

@rekby rekby added the enhancement New feature or request label May 30, 2020
@rekby
Copy link
Owner

rekby commented Jul 3, 2020

I think about solution.
It will regexp replace rules - you will can replace certificates of all your subdomain to once certificate name.
It can be issue as wildcard and save with .lock flag for dont re-issue by lets-proxy.

@jasongill
Copy link
Author

Yes, that would be great if we could have regex for the lock files! Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasongill @rekby