Project

General

Profile

Actions

Feature #10761

closed

Multiple domains in one SAN entry would be very useful

Added by Eduard Rozenberg over 1 year ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
07/12/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

In the Domain SAN list, I'm not currently able to add multiple domains in the 'Domainname' box, for ex. cannot use:

Domainname: fw.mydomain.com fw1.mydomain.com fw1.lan.mydomain.com fw2.mydomain.com fw2.lan.mydomain.com

I could use wildcard (*.mydomain.com) but this is not ideal, as it opens a potential exploit if the cert is stolen from one of the firewalls.

Reason for needing multiple domain names: need domain names for each of multiple redundant firewalls. Also, each firewall can be addressed by multiple domain names (for ex. fw.mydomain.com, fw1.mydomain.com, fw1.lan.mydomain.com)

Currently have to create multiple SAN items which is redundant, and also requires more work over time if DNS API keys change etc, as we now have to manage multiple SAN entries.

Suggestion: allow entering multiple domain names in one SAN entry, either on multiple lines or separated by spaces, commas etc.

Actions #1

Updated by Chris Linstruth over 1 year ago

Hello -

Please post to the forum for assistance. There is an ACME-specific category at https://forum.netgate.com/category/72/acme

This is possible in the current ACME package by adding additional SANs with the add button and is probably just being mis-configured.

They will all need to be validated in the certificate issuing process, of course.

Actions #2

Updated by Eduard Rozenberg over 1 year ago

I was referring to multiple domains inside a single SAN - otherwise the same DNS keys, API tokens, etc are copied multiple times, and when they change have to be edited in every SAN which is extra work and potential for mistakes.

In my case I'd need about 15 SANS for the 2 firewalls, and that's 15 copies of the same set of Cloudflare API keys, tokens, email addr, zone keys etc. 15 x 6 items if they all change, almost 100 entries to have to modify in the future, every time they change.

Actions #3

Updated by Eduard Rozenberg over 1 year ago

For now I just gave up and used a wildcard, let the hackers have at it.

Actions #4

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Rejected

That's not how Let's Encrypt/ACME works. Let's Encrypt must verify all entries separately. There is no way to put all hostnames for a single domain in one entry other than wildcard.

Actions #5

Updated by Eduard Rozenberg over 1 year ago

Thanks Jim, I used the wrong terminology re domains/SANs.

The intention is still valid - would be good to have a single cert issue method definition shared by multiple SAN entries.

For ex.:

Method 1: DNS Cloudflare - API KEY=123 email=something API token=987 etc.
Method 2: Web dir

SAN 1: fw1.mydomain.com - uses Method 1
SAN 2: fw2.mydomain.com - uses Method 1
...
SAN 20: fw.comcast.mydomain.com - uses Method 1

This way, when any of the Cloudflare auth info for ex. changes in the future, it only needs to be modified in one place, not for every SAN.

If there's no interest in this because "most people" only need 1 or 2 SANS fair enough, I can discuss further in forums or look at doing a PR in the future.

Actions

Also available in: Atom PDF