-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subject alternative names (no vhosting) #243
Comments
Could you given an example, like with |
Suppose I have a machine "minion123.example.com" and a CNAME "www.example.com" pointing to it:
The machine is running a single, non-vhosted webserver, and normally it would be accessed as "https://www.example.com". But I also want "https://minion123.example.com" to work. I do this by requesting a certificate for "www.example.com" with "minion123.example.com" as additional Subject Alternative Name. The corresponding config file for openssl would contain
and the certificate would contain
How do I tell mod_md that I want this? I had hoped that
would do the trick - even though "minion123" is nowhere else mentioned in the Apache configuration. |
If you do not use virtual hosts, you might need to configure Usually, mod_md does not mess with the base server configuration, only the virtual hosts. That may be the cause here. Otherwise, one can add other DNS names (CNAME or A does not matter) to an If the problem persists, you'll find a file |
Sorry, I missed
The details from
Two TXT records are created. I am not sure if the second (BTW: I wrongly assumed, that for one certificate only one challenge is needed, but a little more thinking made me realize, that of course Let's Encrypt needs to check every SAN. When you know it, it's obvious...) |
Thanks for the details. This seems to indicate that Let's Encrypt is not happy with the TXTs it sees. (The CNAME appears everywhere as the module uses the first DNS name as the name of the whole thing, e.g. the I think you should look and ask around at https://community.letsencrypt.org where there are a many helpful people who have more experience in the DNS challenges than me. |
Thanks, I'll try to investigate further. We have used this scenario successfully with acme.sh in our environment, though. |
Maybe the order of challenge setup and verification is different with acme.sh. As you see in the logs, mod_md does the setup for all domains and then monitors the status at LE. The AUTHZ state 3 means |
Closed as being stale. |
I'd like to register a hostname with its FQDN and a more user friendly CNAME in one certificate, no vhosting involved, using DNS challenge. I can request certificates for either the FQDN or the CNAME, but not both. I tried
ServerName CNAME
MDomain CNAME FQDN manual
but this generates two challenges (i.e. two TXT records), not one. As far as I can see, Let's Encrypt challenges only FQDN and fails. In our environment, both _acme-challenge.FQDN and _acme-challenge.CNAME point to a third host that has the sole purpose of collecting ACME-DNS challenges, so both TXT records should be visible for either challenge (this method is known to work with e.g. acme.sh).
The text was updated successfully, but these errors were encountered: