Let's Encrypt server certificate & recent update (6.7.4 build 1760)

The changelog says:

[New] Ability to specify a domain when creating service level Let’s Encrypt certificates in NodeWorx
Domain must resolve to the server, and must not be a SiteWorx account

If we’re currently using a Siteworx account for the server’s hostname in order to validate a server certificate, does this update mean we can now remove the hostname’s Siteworx account, point its FQDN to /var/www/html/ as we used to do, and LE will validate the server certificate using DNS as it used to do?

Hi Sysnop

Good catch and I am sorry, I am not sure myself

There is one thing which comes to mind though if true, and that is to have it as described, you cannot have a siteworx account with same FQDN. So what do you do for emails for the FQDN unless the plan is to have them as alises - if so, to which domain

Many thanks and stay safe

John

Thanks, John. I don’t need or want a Siteworx account for the server’s hostname, it’s just there for LE to issue SSL. When I get a chance I’ll give the other method another a try.

Hello–

With the update, you are able to generate a Let’s Encrypt cert directly for the hostname from the SSL page in NodeWorx. The hostname just has to be a domain that is real and resolves to the server. It can’t be a SiteWorx account, so you’ll want to delete that first.

I don’t believe there are any other steps or settings that would need to be made. Just:

-not a SiteWorx account
-live domain
-must resolve to server

Let me know if you have any other questions! :slight_smile:

Thanks Jenna. I see more clearly how this works after a few dry runs.

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued, possibly with additional details.

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 5,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate. Note: For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of hostnames by adding [blog.example.com], you would be able to request additional certificates.

Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.