ansible-letsencrypt
ansible-letsencrypt copied to clipboard
Multiple domain validation
Thanks for this role, I have managed to run this and have certbot to generate SSL stuff. Great.
I understand that I can run multiple subdomains validation with the following:
- role: jaywink.letsencrypt
letsencrypt_domain: domain1.example.com
letsencrypt_email: [email protected]
- role: jaywink.letsencrypt
letsencrypt_domain: domain1.example.com
letsencrypt_email: [email protected]
However this is going to go each time throught the whole process of updating certbot and then requesting validation. What I think could be implemented is something like this:
- role: jaywink.letsencrypt
letsencrypt_entries:
- letsencrypt_domain: domain1.example.com
letsencrypt_email: [email protected]
- letsencrypt_domain: domain2.example.com
letsencrypt_email: [email protected]
- letsencrypt_domain: domain3.example.com
letsencrypt_email: [email protected]
I have managed to create a small prototype on a fork branch: https://github.com/MicroJoe/ansible-letsencrypt/tree/feature/multiple-domains
However all the specified domains are going to be in the same certificate as alternative names. This brings privacy issues since all subdomains where the certificate apply can be extracted from the certificate. Using the multiple roles may be the way to go in case you do not want to share all of your subdomains in a certificate.
Hey @MicroJoe !
I tend to agree having many domains in one certificate would not be the best way to go. Also it makes it difficult to know then what the path to the certificate is, if referring to them from web server configuration from many virtualhosts.
I love the idea of supporting multiple domains though! How about making the certbot command run through a loop, thus creating/renewing a cert for each domain in the list?
Does your use case require separate registration emails for each domain?
Hey, I have implemented this behavior in the branch I mentionned in my second post. It is working, you can check it (but I had to not support the automatic www feature because I did not need it and I think it as an awful feature :wink:).