amppackager icon indicating copy to clipboard operation
amppackager copied to clipboard

Published 20 hours ago verified publisher icon ampproject

Support multiple certs in configuration

Open alabiaga opened this issue 5 years ago • 10 comments

Currently amppackager has support for only 1 cert file. For a multi domain web property,

e.g. example.org subdomain.example.org example.uk

Setting up amppackager would mean creating a config for every subdomain or TLD. The amppkg.toml should allow for setting the mapping of cert file to supported domains. An example of this is

CertFile = '.../global-cert.pem'
KeyFile =  '.../global-key.pem'
...

    [URLSet.Sign]
      CertFile = '.../cert-0.pem' # Override the global Certfile
      KeyFile = '.../privkey-0.pem' # Override the global KeyFile
      Domain = 'example.org'
       ...
    [URLSet.Sign]
      CertFile = '.../cert-1.pem' # Override the global Certfile
      KeyFile = '.../privkey-2.pem' # Override the global KeyFile
      Domain = 'example.uk'
      ...
    [URLSet.Sign]
      # Use the global Certfile and KeyFile
      Domain = 'example.org'
      ...

alabiaga avatar Oct 30 '19 16:10 alabiaga

cc\ @twifkak Let me know if this is what you had in mind in our discussions.

alabiaga avatar Oct 30 '19 16:10 alabiaga

Yes, this is what I had in mind! I'm guessing for the initial implementation of this feature, it wouldn't have ACME support. @banaag is landing #349 which adds ACME support, but scaling that to handle N certificates would require a significant restructuring of the code.

twifkak avatar Oct 30 '19 18:10 twifkak

Definitely possible to support this feature with ACME but as @twifkak mentioned above, it will require significant amount of changes.

banaag avatar Oct 30 '19 19:10 banaag

Are multiple certificates absolutely necessary? I'm not sure if this will apply in this case, but a cert can typically cover multiple domains, and even span different TLDs. (And I think amppackager supports this.) The same Google cert is used for google.com, google.nl and android.com, for example.

Screenshot 2019-10-30 at 20 13 12

Different organizations should perhaps not share the same amppackager instance anyway, to keep their private keys as far away from each other as possible.

ithinkihaveacat avatar Oct 30 '19 20:10 ithinkihaveacat

@ithinkihaveacat Thanks for sharing Michael, that is a good point. So there is a lack of context in the filing of this issue but basically a publisher can have different certificates for multi TLDs and subdomains that it owns and distributed through different CDNs. I am not familiar with multi certificate and CDN strategies or why this is the case but we are basically trying to cover that scenario.

alabiaga avatar Oct 30 '19 20:10 alabiaga

@cpapazian Is #374 still a blocker? We noticed your orgs web properties has a cert issued by DigiCert. Are there multiple certs being used from DigiCert to cover different domains or just one to rule them all? Thanks

alabiaga avatar Nov 22 '19 02:11 alabiaga

we use one certificate for all country subdomains and TLDs. we haven't acquired the certificate yet, but plan on using the same configuration that we use for our web properties.

On Thu, Nov 21, 2019 at 6:05 PM Aaron Labiaga [email protected] wrote:

@cpapazian https://github.com/cpapazian Is #374 https://github.com/ampproject/amppackager/pull/374 still a blocker? We noticed your orgs web properties has a cert issued by DigiCert. Are there multiple certs being used from DigiCert to cover different domains or just one to rule them all? Thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ampproject/amppackager/issues/363?email_source=notifications&email_token=AAOZQYAPVP23K7F756F53JLQU446ZA5CNFSM4JG4ZUWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEE4I4PY#issuecomment-557354559, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOZQYEAMFQPX22FLFPOVP3QU446ZANCNFSM4JG4ZUWA .

cpapazian avatar Nov 22 '19 02:11 cpapazian

Note that a fix is in #374, pending my review. Just got back from a 2-week trip to Singapore/Bali; pardon the delay.

twifkak avatar Dec 05 '19 22:12 twifkak

Also note that a workaround, in the interim, is to run different amppkg instances with different configs.

twifkak avatar Dec 05 '19 23:12 twifkak

@twifkak No problem, note that I still need to make changes to this, given the changes from #361. I will note it on the PR. Thanks

On Thu, Dec 5, 2019 at 2:53 PM Devin Mullins [email protected] wrote:

Note that a fix is in #374 https://github.com/ampproject/amppackager/pull/374, pending my review. Just got back from a 2-week trip to Singapore/Bali; pardon the delay.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ampproject/amppackager/issues/363?email_source=notifications&email_token=AADYUUECHUGNNBNSFCF4JFDQXGA5FA5CNFSM4JG4ZUWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGCNTVA#issuecomment-562354644, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADYUUE3ONDTLJJL7NX7BWLQXGA5FANCNFSM4JG4ZUWA .

alabiaga avatar Dec 05 '19 23:12 alabiaga