websss
asked on
Wildcard ssl with certify the web
I have a multi tenant web app
Users can create trials, and I assign they url like so
123.mydomain.com
124.mydomain.com
125.mydimain.com
123 = db Id of that trial.
This all works great
However its not on https
I use certify the web for iis https certificates
I would like to have a wildcard cert
*. Mydomain.Com
So that all these trials are on https
Ideally I don't want to pay for certificate or have to enter the bindings for every site for the trials
What options do I have? Is this possible
Entering bindings is a bigger head ache than buying a wildcard
But ideally let's encrypt /certify the web would do it all
I use 123-reg to manage domain dns
Users can create trials, and I assign they url like so
123.mydomain.com
124.mydomain.com
125.mydimain.com
123 = db Id of that trial.
This all works great
However its not on https
I use certify the web for iis https certificates
I would like to have a wildcard cert
*. Mydomain.Com
So that all these trials are on https
Ideally I don't want to pay for certificate or have to enter the bindings for every site for the trials
What options do I have? Is this possible
Entering bindings is a bigger head ache than buying a wildcard
But ideally let's encrypt /certify the web would do it all
I use 123-reg to manage domain dns
ASKER
Its one website on IIS which is a catch all, and bindings are all associated with this one site
Just generate a free https://LetsEncrypt.org cert.
ASKER
Thanks, thats kinda what certify the web does already, and it works
Its the wildcard one thats the issue
Its the wildcard one thats the issue
When you say, "Its the wildcard one thats the issue", add a bit more detail about what this means.
Maybe you're talking about this "Its one website on IIS which is a catch all, and bindings are all associated with this one site", which is correct.
You'll require, what you're calling a binding (I think), for each host record.
I run many systems like what you're describing, based on Apache. Each new site spun up does this...
1) Create a new Virtual Host file for host.
2) service apache2 reload.
Example of an Apache config file for one of these sites...
Then ssl/foo.com/site.conf contains...
Then a nightly CRON job to pull the updated cert files...
Using this approach you can run 100s of machines or LXD containers, so you can easily scale your App to very large numbers of hosts.
Maybe you're talking about this "Its one website on IIS which is a catch all, and bindings are all associated with this one site", which is correct.
You'll require, what you're calling a binding (I think), for each host record.
I run many systems like what you're describing, based on Apache. Each new site spun up does this...
1) Create a new Virtual Host file for host.
2) service apache2 reload.
Example of an Apache config file for one of these sites...
<VirtualHost *:80>
ServerName host123.foo.com
ServerAdmin support@foo.com
RewriteEngine on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NC,L,R=301]
Include logging.conf
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName host123.foo.com
ServerAdmin support@foo.com
DocumentRoot /sites/some-client/host123.foo.com/wordpress
<Directory /sites/some-client/host123.foo.com/wordpress>
Options +Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Include logging.conf
Include ssl/foo.com/site.conf
</VirtualHost>
</IfModule>
Then ssl/foo.com/site.conf contains...
SSLEngine on
SSLUseStapling on
SSLCertificateFile ssl/foo.com/fullchain.pem
SSLCertificateKeyFile ssl/foo.com/privkey.pem
# Enable HTTP Strict Transport Security with a 2 year duration
Header always set Strict-Transport-Security "max-age=63072000; preload"
Then a nightly CRON job to pull the updated cert files...
Using this approach you can run 100s of machines or LXD containers, so you can easily scale your App to very large numbers of hosts.
123.mydomain.com
124.mydomain.com
125.mydimain.com
Are all considered unique domains. Your choices are to either obtain a separate domain for each or use a wildcard cert for the domain. I don't use letsencrypt myself, from reading it sounds like you can put multiple domains on one certificate such as what you have above. But it does not appear you can get a wild card where you can later add subdomains after the fact. This is one of the links that explains https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250.
For production, I use alpha ssl and I also resell too. I find using a wildcard is easier for this type of situation. As example, I use one domain for dev and testing and if i want to spin up a subdomain, I don't have to keep buying a cert and just use the one wild card. https://comodosslstore.com/resources/how-to-install-a-wildcard-ssl-certificate-on-iis-7-or-8/
124.mydomain.com
125.mydimain.com
Are all considered unique domains. Your choices are to either obtain a separate domain for each or use a wildcard cert for the domain. I don't use letsencrypt myself, from reading it sounds like you can put multiple domains on one certificate such as what you have above. But it does not appear you can get a wild card where you can later add subdomains after the fact. This is one of the links that explains https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250.
For production, I use alpha ssl and I also resell too. I find using a wildcard is easier for this type of situation. As example, I use one domain for dev and testing and if i want to spin up a subdomain, I don't have to keep buying a cert and just use the one wild card. https://comodosslstore.com/resources/how-to-install-a-wildcard-ssl-certificate-on-iis-7-or-8/
These are normal wildcard certs.
You register a cert to cover foo.com + *.foo.com, to cover all foo.com hostnames.
https://community.letsencr ypt.org/t/ wildcard-d omain-step -by-step/5 8250 provides a quick overview of how to generate a wildcard cert.
You register a cert to cover foo.com + *.foo.com, to cover all foo.com hostnames.
https://community.letsencr
The link in the previous comment is based on Linux. For Certify The Web, I found this on which details what you need for windows https://github.com/webprofusion/certify
ASKER
Thanks, I'm already using certify the web
Its good for 1 cert, but not for wild cards
Its good for 1 cert, but not for wild cards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Scott, I was running an older version, I updated it, then did the wildcard /dns update and its working great now!
If you are using IIS and you use virtual directories under a currently existing website (i.e. mydomain.com) then all of these properties and certificate characteristics will be part of your new virtual directories.
If you create a different website in IIS for each trial, then you will need to set up the bindings for each new website because these settings do not work based on templates by default. If that is the case, you will need to build certain program logic for customizing your new IIS website during the provisioning process. (i.e. IIS commands).