Wildcard SSL cert for fourth level subdomain

J

jigster

Verified User
Joined
Jul 23, 2021
Messages
90
I'm implementing Caldav in Roundcube for calendar sync'ing across devices and need to have an SSL cert created automatically for each domain for *.caldav.domain.com.

At the moment, I have admin_ssl_default_wildcard=1 so that Letsencrypt creates a wildcard SSL cert for domain.com and *.domain.com, but this of course doesn't work for *.caldav.domain.com.

Anyone know how to add to the wildcard cert list so that Directadmin will request from Letsencrypt a cert for domain.com, *.domain.com and *.caldav.domain.com?
 
Thanks but unfortunately it's not feasible to add a separate account for thousands of domains, just for caldav. That's why I need an automatic solution that will create a certificate for *.caldav.domain.com. Any ideas?
 
Very maybe.
But it was asked earlier and said not possible in DA.

You might want to read this and reply's lower in that thread.

Different SSL for Main Domains and Subdomain

Hello, I need add different ssl for main domain and subdomain. currently directadmin only can use wildcard ssl for main domain and subdomain. anyone have the tutorial? thank you
forum.directadmin.com forum.directadmin.com
 
3 years ago...still the same? I thought it would be possible. Well maybe not "wildcard" but for the domain. *.caldav.domain.com you should be able to say that everything requested before caldav.domain.com get's an certificate

Based on the SNI setup, so i thought if it is possible for SNI i think it would also work for this right?

Version 1.62.0 | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

It says:
Code: 
For example, this snidomains entry:

*.sub.domain.com:fred:sub.domain.com

would mean, that for the given service, if www.sub.domain.com is requested, the lookup would point to: /usr/local/directadmin/data/users/fred/domains/sub.domain.com.cert (or sub.domain.com.cert.combined, depending on which service is asking)

So i thought it should work if you would run the script for the subdomain. But maybe not. Worth testing :p
 
Thanks everyone for the suggestions, but after testing I sadly couldn't get any of it to work :(

As a workaround I've changed the CalDav settings so instead of XXX.caldav.domain.com (where XXX is dynamic) it uses XXXcaldav.domain.com (no dot). This works using the normal wildcard cert *.domain.com which is issued automatically.

The only problem is I have to add a wildcard DNS entry for all domains:
* A IP
because the CalDav server creates the XXX bit of XXXcaldav.domain.com dynamically. I would ideally like to avoid this because it seems not to be good practice, but can't think of any way around it! Except maybe trying to modify the CalDav system to dynamically add/delete specific DNS records (using Directadmin API) when adding/removing caldav connections. But I'm not familiar with the CalDav system code so that might be difficult. If anyone has any better ideas to avoid adding a wildcard DNS entry for all domains, please share! (y)
 
Last edited:
We have a automtic wildcard entry for all domains via custom dns template.

So you could add:
Code: 
cd /usr/local/directadmin/data/templates/custom
cp ../dns_a.conf .

change the conf to:

|*if IS_IPV6!="yes"|
|DOMAIN|.=|IP|
*=|IP|
mail=|IP|
pop=|IP|
www=|IP|
ftp=|IP|
smtp=|IP|
|*endif|

for ipv6:

cd /usr/local/directadmin/data/templates/custom
cp ../dns_aaaa.conf .

change the conf to

|*if IS_IPV6="yes"|
|DOMAIN|.=|IP|
*=|IP|
mail=|IP|
pop=|IP|
www=|IP|
ftp=|IP|
smtp=|IP|
|*endif|

And for existing domains you can do this:

Maintaining DNS records | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

So create something like dns-add.sh with this code:

For A:

Code: 
#!/bin/sh
DATAU=/usr/local/directadmin/data/users
for u in `ls $DATAU`; do
{
      IP=`grep ip= $DATAU/$u/user.conf | cut -d= -f2`
      for d in `cat $DATAU/$u/domains.list $DATAU/$u/domains/*.pointers 2>/dev/null | cut -d= -f1`; do
      {
            echo "adding new record with IP $IP to $d";
            echo "*   900    IN   A   $IP" >> /var/named/${d}.db
      };
      done;
};
done;
exit 0;

and for AAAA use this:

Code: 
#!/bin/sh
DATAU=/usr/local/directadmin/data/users
for u in `ls $DATAU`; do
{
      IP=`grep ip= $DATAU/$u/user.conf | cut -d= -f2`
      for d in `cat $DATAU/$u/domains.list $DATAU/$u/domains/*.pointers 2>/dev/null | cut -d= -f1`; do
      {
            echo "adding new record with IP $IP to $d";
            echo "*   900    IN   AAAA   $IP" >> /var/named/${d}.db
      };
      done;
};
done;
exit 0;
 
Thanks @Stije that's great. I've actually already done all that, so all set (y) I just ideally wanted to avoid a wildcard DNS entry altogether because my research suggested it's not good practice, although opinion seems divided on that. But it works, and is my only option so far, so for me it is necessary!! Thanks again.
 
You must log in or register to reply here.
Back
Top