• Solved
  • [SOLVED] LetsEncrypt Certificate / Multidomain

Hello Uwe ,

extending LetsEncrypt is possible by using the -d flag to extend used LE domains:

certbot certonly -n --standalone --agree-tos \
    --preferred-challenges http \
    --cert-name="<ssl-domain1>" \
    -d "<ssl-domain1>" \
    -d "<ssl-domain2>" \
    -d "<ssl-domain3>" \
    -m "<ssl-mailforLE>"

The certbot renew timer takes care of the renewals automatically every week, no matter what you generate for that system, you can check its running by:

systemctl status grommunio-certbot-renew.timer

  • Uwe replied to this.

    noplan
    You may have to update your nginx config files and modify the servername entry, or if you are using different keys, create separate config files for each domain that is basically a copy of the /usr/share/grommunio-common/nginx.conf but specific for each domain.

    In each config file, you could then specify a different ssl_certificate and ssl_certificate_key. This way, you can use the domain specific certificate files for each domain. Otherwise, if you use the key for say *.domain1.tld and the user goes to https://mail.domain2.tld they will get an certificate error stating the certificate is not valid, the certificate is issued for 'domain1.tld' but you are connecting to 'domain2.tld'.

      obsidiangroup

      oh yeah i was aware of this,
      thought they implemented a stnt like this as default when u set up multi domain

      br NP

        Hi noplan,

        per default, the entire configuration of the webservice is multi-tenant and multi-domain capable. The only thing you need to "deal with" is chosing/generating the apropriate certificate for it. For multiple domains in combination with wildcard you can specify -d with *.domain1.tld and another -d with *.domain2.tld.

        This is a so-called SAN wildcard certificate. There are many vendors supporting this. However, when it comes to really large setups, like 1.000.000 mailboxes with thousands of domains, the setup doesn't really rely on such configurations but instead with load balancers and separate SSL-termination in the front-end.

        Smaller setups can be done also with SNI and multiple certificates, however if you're around 5 wildcard SANs, you should be perfectly fine with LE.

          mwilliams

          yeah we are on the same page with SAN / wildcard certs

          i though i missed something like
          login with webIF was enabled for each domain on the setup per default ..

          the more i thin k about it the more i start to like the idea 😉
          but then i indeed need a chang of color on he login page for each domain 😉
          for starters

          • orange
          • pink
          • blue
          • blonde
          • brown
          • white

          LE ACME and haProxy in front of grommunio will do the trick for the mini setups 😉

          lets go to work

            mwilliams
            Thanks for your answer :-)
            I was able to adjust the certificate with the way you pointed out, but unfortunately this had no effect (reboot was performed).

              noplan
              That's right. I would like the users to be able to use the WebIF according to their domain

              2 months later

              noplan Can you share your haproxy configs? Seems like you are doing something we are looking at.

              This should be the gist ... Just wrote it, not tested.

              haproxy-snippet

              frontend https
              ...
              #hostname begins with
              acl acl_backend1 hdr_beg(host) -i domain1.
              acl acl_backend2 hdr_beg(host) -i domain2.
              use_backend grommunio_domain1 if acl acl_backend1
              use_backend grommunio_domain2 if acl acl_backend2
              ...
              
              backend grommunio_domain1
              ...
              server comment internalhostname1:443 ssl verify none
              
              backend grommunio_domain2
              ...
              server comment internalhostname2:443 ssl verify none

              Uwe

              More detailed:

              certbot certonly -n --standalone --agree-tos \
              --preferred-challenges http \
              --cert-name="<domain1>" \
              -d "<domain1>" \
              -d "<domain2>" \
              -d "<domain3>" \
              -d "<domain4>" \
              -d "<domain5>" \
              -m "me@domain1.com" \
              --pre-hook "service nginx stop" --deploy-hook /usr/share/grommunio-setup/grommunio-certbot-renew-hook --post-hook "service nginx start"

              This way you get the nifty 'put-the-certificate-in-place' logic included. Has been used numerous times in production.

              mwilliams changed the title to [SOLVED] LetsEncrypt Certificate / Multidomain .

              © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice