[SSL] How to use LE Wildcard with Hostname aswell?

AfterInfinity

AfterInfinity

Verified User
Joined
Jul 16, 2021
Messages
16
Hey there!

I'm stuck as I can't find any solution to my problem.

My server is as follows:
Hostname (server.example.com)
Domain (example.com)
Bear in mind that hostname and domain share the same domain.

Recently I found out that DirectAdmin supports wildcard certs by let's encrypt in GUI. So I generated a certificate for Domain but I cannot figure out how to make Hostname use the wildcard certificate of Domain. I ended up generating a separate certificate for hostname but it's not what I initially wanted.

Does anyone know what I need to do?
Thank you for reading!

Kind regards
 
AfterInfinity said:
Hey there!

I'm stuck as I can't find any solution to my problem.

My server is as follows:
Hostname (server.example.com)
Domain (example.com)
Bear in mind that hostname and domain share the same domain.

Recently I found out that DirectAdmin supports wildcard certs by let's encrypt in GUI. So I generated a certificate for Domain but I cannot figure out how to make Hostname use the wildcard certificate of Domain. I ended up generating a separate certificate for hostname but it's not what I initially wanted.

Does anyone know what I need to do?
Thank you for reading!

Kind regards
Click to expand...
I think that what you are wanting is not support.
Although I know people have worked around this with a central DNS/NS/LE server to pass everything from point A to point B.
But I have never done this personally.

(NS = NameServer)
For wildcard certificates LE will need to validate with a DNS records.
It needs to add a DNS record to the NS so it can verify that the domains is yours.
If you have configured your server as its recommended then your NS for DNS is not in the DirectAdmin panel itself for the domain you use for the panel itself.
And thus it cannot create a record on the NS for that domain to validate it is yours.
 
realcryptonight said:
Sorry if its a bit messy but my native language is not English.
Click to expand...
Don't apologize. Your english is great! Thank you for trying to help :)

realcryptonight said:
I think that what you are wanting is not support.
Although I know people have worked around this with a central DNS/NS/LE server to pass everything from point A to point B.
But I have never done this personally.

(NS = NameServer)
For wildcard certificates LE will need to validate with a DNS records.
It needs to add a DNS record to the NS so it can verify that the domains is yours.
If you have configured your server as its recommended then your NS for DNS is not in the DirectAdmin panel itself for the domain you use for the panel itself.
And thus it cannot create a record on the NS for that domain to validate it is yours.
Click to expand...
I have setup my DNS and everything works great with the ACME challenge. I do have a wildcard certificate on my domain. But my hostname (server.domain.com) and it's services are not using the wildcard certificate of the domain (domain.com). The hostname uses it's own self-signed certificate or separate Let's Encrypt certificate by using this guide: https://help.directadmin.com/item.php?id=629

The issue is, that this guide only shows how to setup a separate certificate for the hostname it doesn't show how to use the wildcard certificate of the domain.
 
Uh i also have some problems to yes no wildcard hostname and co.
While hostname itself has nothing to do with the domainname ( so it should be) in DA

But kind of workarround not wildcard but maybe helping some.

Also i did read in feature or update changelogs DA somewhere about wildcard server and more domains... can't find it ..
 
MacLeod said:
Looks like more people have the same problems with SSL settings :-(
Click to expand...
For me is main problem using external DNS/ nameserver services.

DKIM , DANE and such are then :( also wildcards)

Topic starter has the wildcard prob in combi with domain...

Ofcourse the ones using / doing things with domain in combination with hostname.domain is a problem, always was.
 
AfterInfinity said:
The hostname uses it's own self-signed certificate or separate Let's Encrypt certificate by using this guide: https://help.directadmin.com/item.php?id=629
Click to expand...
Can you explain your issue with this What exactly is the problem you are having with this?
I also always use the Lets Encrypt certificate for the hostname created via the help section. For the domain name (same domain) I use the wildcard setting in the domain setup.

The hostname will not be using the wildcard certificate of the domain name, because hostname and domain name are different things. Hostname can also be something totally different than the domain name, so as far as I know it's not intented to use the wildcard certificate.

What exactly is the problem you're having with a different LE certificate for hostname and domain name?
Otherwise said, why do you need the hostname to make use of the LE wildcard certificate?
 
Sorry for late reply. Today I got back to it and tried some methods of doing it but I couldn't figure it out.
The answer I think lies in the letsencrypt.sh script. I am quite sure it is possible to do it. But my skillset isn't good enought to do it.
ikkeben said:
Uh i also have some problems to yes no wildcard hostname and co.
While hostname itself has nothing to do with the domainname ( so it should be) in DA

But kind of workarround not wildcard but maybe helping some.

Also i did read in feature or update changelogs DA somewhere about wildcard server and more domains... can't find it ..
Click to expand...
I hope I'm wrong but it seems as if this is the only workaround as of now.
jamgames2 said:

this how DA store CA for :2222
I don't know, it's work or not, And backup before do this

try use symbolic link from your Domain CA to these location.
Click to expand...
Yes I've read this guide. But this would only point directadmin to the certificates, all the other services (exim, dovecot, etc.) won't "know". :(
ikkeben said:
For me is main problem using external DNS/ nameserver services.

DKIM , DANE and such are then :( also wildcards)

Topic starter has the wildcard prob in combi with domain...

Ofcourse the ones using / doing things with domain in combination with hostname.domain is a problem, always was.
Click to expand...
Yeah, I was also stuck on this for a little while. Found out I can use cf, with a plugin called daflare i think, that sends records automatically using API. Then pointed the server's nameservers ex. ns1.example.com and ns2.example.com to hostname. Everything works now.
 
Richard G said:
Can you explain your issue with this What exactly is the problem you are having with this?
I also always use the Lets Encrypt certificate for the hostname created via the help section. For the domain name (same domain) I use the wildcard setting in the domain setup.

The hostname will not be using the wildcard certificate of the domain name, because hostname and domain name are different things. Hostname can also be something totally different than the domain name, so as far as I know it's not intented to use the wildcard certificate.

What exactly is the problem you're having with a different LE certificate for hostname and domain name?
Otherwise said, why do you need the hostname to make use of the LE wildcard certificate?
Click to expand...
Hello Richard!

Your posts on the forum have helped me a lot along the way! Thank you!

I can understand why this seems a lot of work for as little as a wildcard certificate for the whole server.

The goal here is for everything to be clean and easy in the long run.
Let's say that I am not using Let's Encrypt but a commercial SSL certificate.
This multi-domain certificate has the domains example.com, *.example.com and *.hostname.example.com
I can use this certificate on everything related to the main domain.

Going back to Let's Encrypt. How can people do this?
I think maybe if letsencrypt.sh included a command ex. request_global. So people can create a wildcard certificate in both hostname mode and user domain mode. One certificate for everything.
But if there is a way I would love to know how.
 
AfterInfinity said:
can use this certificate on everything related to the main domain.
Click to expand...
A multi certificate like you said should normally not be used for the hostname imho. Same also, to have everything clean and easy in the long run, because the way it is now, just makes it clean and easy in the long run.

Suppose you want to change the domain name, or need the change the hostname for any reason, then your main domain will not get affected and still can use the same cert it's using the whole time.
Same if you have to move to another server, or things get bad and you need to get a hosting account instead of a server, in that case also the cert will be good, but you don't need the hostname for it.

Things are ofcourse a bit different if you only have for example one domain with a shop and commercial certificate, then it might be good to also have the hostname in the same certificate. But I guess we need somebody more specialized to explain how and if this can be done.

AfterInfinity said:
I think maybe if letsencrypt.sh included a command ex. request_global.
Click to expand...
There is a request_full option, but as far as I know (if still supported) that only requests certificates for domains, subdomains and pointers, not for the hostname.

So I guess this might need some custom adjustments, maybe smtalk or da support can be of help with that, but they are very busy so if they don't notice this topic, you might consider either sending in a ticket with the question, or maybe use the feedback forum to request an option to have the same certificate for the hostname, for certain purposes.

AfterInfinity said:
Your posts on the forum have helped me a lot along the way! Thank you!
Click to expand...
Thank you for the compliment, that's the reason i'm doing this, always glad if I can be of help for somebody to fix things.
 
Richard G said:
Things are ofcourse a bit different if you only have for example one domain with a shop and commercial certificate, then it might be good to also have the hostname in the same certificate. But I guess we need somebody more specialized to explain how and if this can be done.
Click to expand...
You explained my situation to a tee! And even for those who aren't in the same situation could benefit from a wildcard certificate for their hostname. In this help article, instead of issuing a multi-domain certificate admins could just issue a multi-domain wildcard certificate. For example
Code: 
./letsencrypt.sh request *.`hostname`,*.domain.com,domain.com secp384r1
And let users decide if they want to use this certificate or issue a new one for the domain in question.
Unfortunately, wildcard certificates aren't fully supported for hostname of what I've tried. It automatically switches to user domain mode when wildcard is in the request. Maybe when ´hostname´ is detected in the request then it switches to hostname mode when issuing certificate or just a --hostname flag would make it easier!
Richard G said:
So I guess this might need some custom adjustments, maybe smtalk or da support can be of help with that, but they are very busy so if they don't notice this topic, you might consider either sending in a ticket with the question, or maybe use the feedback forum to request an option to have the same certificate for the hostname, for certain purposes.
Click to expand...
I'll try that out! Thank you!
Richard G said:
Thank you for the compliment, that's the reason i'm doing this, always glad if I can be of help for somebody to fix things.
Click to expand...
Can't even count the times I see your name on an answer that helped me ?

Kind regards
 
Last edited:
Thank you to everyone for their helpful comments! :)
For anyone interested: I have now posted a suggestion to the feedback section of DirectAdmin.

Upvoty

feedback.directadmin.com feedback.directadmin.com

Have a great day!
 
You must log in or register to reply here.
Back
Top