ansible-letsencrypt icon indicating copy to clipboard operation
ansible-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon jaywink

Multiple domain validation

Open gagath opened this issue 7 years ago • 3 comments

Thanks for this role, I have managed to run this and have certbot to generate SSL stuff. Great.

I understand that I can run multiple subdomains validation with the following:

- role: jaywink.letsencrypt
  letsencrypt_domain: domain1.example.com
  letsencrypt_email: [email protected]
- role: jaywink.letsencrypt
  letsencrypt_domain: domain1.example.com
  letsencrypt_email: [email protected]

However this is going to go each time throught the whole process of updating certbot and then requesting validation. What I think could be implemented is something like this:

- role: jaywink.letsencrypt
  letsencrypt_entries:
    - letsencrypt_domain: domain1.example.com
      letsencrypt_email: [email protected]
    - letsencrypt_domain: domain2.example.com
      letsencrypt_email: [email protected]
    - letsencrypt_domain: domain3.example.com
      letsencrypt_email: [email protected]

gagath avatar Jun 05 '17 07:06 gagath

I have managed to create a small prototype on a fork branch: https://github.com/MicroJoe/ansible-letsencrypt/tree/feature/multiple-domains

However all the specified domains are going to be in the same certificate as alternative names. This brings privacy issues since all subdomains where the certificate apply can be extracted from the certificate. Using the multiple roles may be the way to go in case you do not want to share all of your subdomains in a certificate.

gagath avatar Jun 05 '17 08:06 gagath

Hey @MicroJoe !

I tend to agree having many domains in one certificate would not be the best way to go. Also it makes it difficult to know then what the path to the certificate is, if referring to them from web server configuration from many virtualhosts.

I love the idea of supporting multiple domains though! How about making the certbot command run through a loop, thus creating/renewing a cert for each domain in the list?

Does your use case require separate registration emails for each domain?

jaywink avatar Jun 05 '17 19:06 jaywink

Hey, I have implemented this behavior in the branch I mentionned in my second post. It is working, you can check it (but I had to not support the automatic www feature because I did not need it and I think it as an awful feature :wink:).

gagath avatar Jun 14 '17 21:06 gagath