lets-proxy2 icon indicating copy to clipboard operation
lets-proxy2 copied to clipboard
verified publisher icon rekby

Wildcard Lock Certificates

Open jasongill opened this issue 5 years ago • 5 comments

We have one domain with a lot (hundreds) of subdomains like customername.blognetwork.com which is used for users to access their blog login before they have pointed a CNAME to us; users then each have their own domain like myblog.customername.com. We use lets-proxy2 to listen on :443 at the IP that all of the *.blognetwork.com and customer sub-domains share, and it works well to issue certificates.

The problem we've run into is that since lets-proxy2 just re-issues a new certificate for each subdomain, we run into the 50 subdomain limit from lets-encrypt quickly and most users can't use customername.blognetwork.com to log in. Using their real subdomain is fine (but they have to set it up first, which can be troublesome).

Previously we used a hack I wrote (see #125 ) to force a fallback wildcard certificate (from a commercial certificate vendor) to be used, but I want to do away with this hack. I see the lock certificates feature you created and it works well to load our commercial certificate - but we must duplicate the wildcard certificate (and lock file) for each customer subdomain, it cannot be done automatically/dynamically.

Would it be possible to add support for wildcard lock certificates? This way, we could just "lock" the entire *.blognetwork.com domain to use the commercial wildcard certificate, instead of having to make customer1.blognetwork.com.lock, customer2.blognetwork.com.lock, etc

I am happy to contribute a small amount of $ to help get this feature added if needed. Thank you!

jasongill avatar May 30 '20 14:05 jasongill

If you have commercial wildcard certificate - why do you need lets-proxy?

You can use nginx with wildcard.

rekby avatar May 30 '20 15:05 rekby

Because we also host customer domains that we don't / can't buy commercial certificates for. Basically we have 1 domain that we want to use a wildcard certificate (lock) with, and all other domains go through letsencrypt. We have the customers just set

myblog CNAME customername.blognetwork.com

in their dns, so that their blog works on either myblog.customerdomain.com (SSL with letsencrypt) or secondary / for getting started at customername.blognetwork.com (SSL with commercial *.blognetwork.com since letsencrypt limits to 50 sub domains and lets-proxy2 doesn't request wildcards from letsencrypt)

jasongill avatar May 30 '20 15:05 jasongill

Yes, I understand your scenario.

I will think how to do it simpler interface.

rekby avatar May 30 '20 16:05 rekby

I think about solution. It will regexp replace rules - you will can replace certificates of all your subdomain to once certificate name. It can be issue as wildcard and save with .lock flag for dont re-issue by lets-proxy.

rekby avatar Jul 03 '20 01:07 rekby

Yes, that would be great if we could have regex for the lock files! Thank you!

jasongill avatar Jul 06 '20 15:07 jasongill