da-letsencrypt
da-letsencrypt copied to clipboard
zenire
Multi-Domain (SAN) Certificates
is is possible to create a cert that include all domains ? (Multi-Domain (SAN) Certificates) a cert that include not only the main domain but also other domain all in one user's account? Of course the domain pointer is also included.
I have a server that have 5 ips,i assign 4 ips to 4 different users,each of them have multiple domains,but only one didicated ip,and SNI is not very friendly at the moments.So SAN/UCC cert is needed.
Why is SNI not very "friendly"? But; this isn't possible at the moment and also not planned. I've added it to the future milestone (a wishlist).
about 30% of my vistors still using windows XP that did not support SNI,i'm afraid maybe windows XP will live for another 5 years.
Currently the plugin is per-domain oriented, to implement "user-wide" SSL certificates we've to make many changes.
got it,hope to use the UCC/SAN cert in the near future,thank you for the great work!
Windows XP is already EOL, followed by IE7 and IE8 in the near feature. I'm not sure if we've to take care of these users which does run very insecure(/EOL) systems.. Is there any reason you have such a high visitor rate from Windows XP machines? Here it's ~3% (of all Windows machines) over the last 4 years.
I'm live in China,there are still many users using WinXP. And a lot of websites using UCC/SAN certs, you just can't ingore these users who are still using EOL systems. Google inc. has so many ips,why they also sign ucc/san certs?
really have much hope on this, I'm also a DirectAdmin user in China, it's true there are still so many people using windows XP/IE7/IE8.
The people using Windows XP/IE7/IE8 should upgrade. You can't support EOL software forever. When we will support it, we will promote to keep using Windows XP/IE7/IE8.
I can't ask them to upgade to the lastest os,all i can do is provide them the best experience.And you just can't abandon/ingore them in order to promote innovation and technological change.
I'm just telling you that still many people who are using outdate systems,it's your right to do or not to do.
There are so many company using UCC/SAN certs such as Google/CloudFlare/Facebook/wikipedia and so on, and why they don't ask their vistors to use a modern systems? Should we abandon/ingore them?
And at last,sorry for my bad english,english is not my native language,maybe i can't let you understand what i said.Thanks again for the great work and wish you a happy day!
Best Regards,
I think this could be implemented in admin panel.
But please be noted that even we have SAN/UCC certs, XP/2003 clients will still get a SSL invalid warning because the way that their SChannel interprets Name Constraints (for LE's root) are different..
For more, see: https://community.letsencrypt.org/t/san-domain-name-mismatch-android-2-windows-xp/4060
And even we have SAN/UCC certs, some older clients like XP SP2 or before, they do not have SHA-256 roots...STILL GET WARNING OR EVEN CAN'T CONNECT TO THE HTTPS SERVER
BTW, POSReady 2009 is not an EOL OS...
Hey... but are Chinese visitors going to Google/Facebook/wikipedia/CloudFlare?
I have only expericence that these services are not accessible from China...
Anyway, HTTPS for them is still great. I know many Chinese ISPs inject their own ads into all http traffic..
@v998 we can access to wikipeida/Cloudflare,these are not blocked in China. When I say Google/Facebook/wikipedia/CloudFlare ,becourse it's more popular outside China. Many popular chinese language websites are using UCC/SAN certs now,but I have no idea if you are fimilar with them,for example. https://www.taobao.com/ https://www.baidu.com/ https://www.tmall.com/
剛才瀏覽了一下您的網站,您是香港人? 我英文不太好,不知道怎麼表達自己的想法。 我是覺得不能為了讓大家放棄過時的瀏覽器而推進技術的革新,畢竟SNI技術的初衷是為了解決在單個IP上面安裝更多的證書,這是好的一面。可是畢竟現在有很多訪客還是用著過時的系統無法體驗到SNI。 Google等大公司還用著UCC/SAN證書,為什麼我們不用呢?
update: I found github also using ucc/san certs. https://assets-cdn.github.com/
@bob0627 I understand you can't do that and you want to provide the best to your customers. Maybe we could introduce this support in future versions, but I don't think we should aim for the 1.0 release to support this.
@bob0627
we can access to wikipeida/Cloudflare,these are not blocked in China.
- Isn't Wikipedia Chinese blocked?
- and CloudFlare proxied sites (with Free plan) are still getting problems with XP (they use the ECC SAN certificates, and XP can't read it)
When I say Google/Facebook/wikipedia/CloudFlare ,becourse it's more popular outside China.
- Google.. SHA256 CERT, so no pre-XP SP3 (with IE) visitor can visit them...
- Facebook.. again..SHA256, and no SSL3, so by default no IE6..
- Wikipedia.. same as fb..
I just wonder how many chinese users use IE6-IE8 and pre-SP3 versions... But I know they use browsers like 360, so, as Chromium handles these websites for XP, they still can be browsed.
Many popular chinese language websites are using UCC/SAN certs now,but I have no idea if you are fimilar with them,for example. https://www.taobao.com/ https://www.baidu.com/ https://www.tmall.com/
I know Baidu, but they aren't using Let's Encrypt.
剛才瀏覽了一下您的網站,您是香港人?
是..
我英文不太好,不知道怎麼表達自己的想法。
看你上面的英文, 也不錯啊 :)
我是覺得不能為了讓大家放棄過時的瀏覽器而推進技術的革新,畢竟SNI技術的初衷是為了解決在單個IP上面安裝更多的證書,這是好的一面。可是畢竟現在有很多訪客還是用著過時的系統無法體驗到SNI。
不知道你有沒有看我上面的評論, 要讓Let's Encrypt的證書在XP (chrome/ie) 等ua上面正常運作, 要解決的問題就不只是SNI, LE簽的證書一定要是SHA256, 結果理論上只有SP3能認出 然而實際上XP不認LE那邊的根證書,所以在xp上面接近所有的瀏覽器(Firefox除外)都會警告LE的證書有問題, 那跟用自簽證書有甚麼分別呢? 還不如用StartSSL/WoSign搞SNI, 至少Chromium-based的(chrome/360)能順利上這些網站
Google/github 等大公司還用著UCC/SAN證書,為什麼我們不用呢?
就我們真是搞了SAN證書, UA還是會警告的 這是Let's Encrypt根證書的問題
Again, in English,
XP don't recognize Let's Encrypt issued Certificates.
It is meaningless to use SAN certs to support XP users, they are still getting warning anyways.
It would then be waste of bytes for those newer useragents to receive the extra Alternative Names.
@v998 thank you for you reply. Wikipedia is still accessable in China mainland.
@bob0627 I have new update.
The new intermediate CA by Let's Encrypt now does support Windows XP. (see: https://community.letsencrypt.org/t/upcoming-intermediate-changes/13106/3)
However, since the Let's Encrypt support for DirectAdmin is now handled officially, you may need to go to the official DA forum (forum.directadmin.com) to ask for the server-wide SAN cert functionality.
Note that you will also have to change your SSL configurations (like enabling SSLv3) for this to work on IE6.
=)