Multiple subdomains in one certificate

Help
1

1. Caddy version (caddy version): 2.3.0

2. How I run Caddy:

I’m running caddy in docker container to generate and manage certificates that I use in nginx.

FROM caddy:2.3.0-builder AS caddy-builder

# available dns resolvers: https://github.com/caddy-dns
RUN xcaddy build --with github.com/caddy-dns/route53

FROM caddy:2.3.0

COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy

CMD ["caddy", "run", "--config", "/etc/caddy/config.json"]

a. System environment:

Docker compose with caddy in front of nginx in separate containers.
Docker on debian 10

b. Command:

caddy run --config /etc/caddy/config.json

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

{
  "apps": {
    "tls": {
      "automation": {
        "policies": [
          {
            "subjects": [
              "siasky.net",
              "*.siasky.net",
              "*.hns.siasky.net",
              "*.eu-pol-1.siasky.net",
              "*.hns.eu-pol-1.siasky.net"
            ],
            "issuers": [
              {
                "challenges": {
                  "dns": {
                    "provider": { "name": "route53" }
                  }
                },
                "module": "acme"
              }
            ]
          },
          { "issuers": [{ "module": "internal" }], "on_demand": true }
        ]
      }
    }
  }
}

3. The problem I’m having:

I am running out of limits for the domains due to a lot of duplications. I am running the same stack on multiple servers and each server needs 5 certificates: siasky.net, *.siasky.net, *.hns.siasky.net that are repeated on each server and 2 more that are unique on each server (ie. *.eu-pol-1.siasky.net and *.hns.eu-pol-1.siasky.net). According to letsencrypt I am running into limits here and it sure seems so that I get a lot of duplicates - https://crt.sh/?q=siasky.net

The question is - is there a way to make sure I am not running into limits here? I considered:

  • having one machine that manages certificates and copies them over to all servers and does the same on renewals but that’s pretty dirty and centralised solution with single point of failure - in case this machine has issues, all the servers are down
  • generating san certificate for siasky.net that also includes *.siasky.net, *.hns.siasky.net and two other siasky.net subdomains - that would produce one certificate per server and I think it should be fine (although, I have around 12-15 servers and I am not sure whether letsencrypt would allow me to create and produce so many certificates like that - I’m not really sure whether it falls into the duplicates limit if it’s san certificate)

I don’t like the 1st approach so I was trying with the 2nd approach but I can’t find any documentation on that in caddy - is that something that’s possible?

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

2

Caddy does not support multi-SAN certificates, for a multitude of reasons. (I’ll let @matt chime in here with the why, I don’t have the list of reasons on-hand right now)

Instead, you should be configuring your multiple instances of Caddy to share the same storage, to avoid having to do cert issuance more than once for the same domain.

3

“Use one name per certificate”:

4

Thanks, I’ll follow up with shared storage :slight_smile:

Cheers

1 Like
5

This topic was automatically closed after 30 days. New replies are no longer allowed.