SSL certificates for all domains

Hey all,

I am trying to wrap my head around a few things regading SSL certificates and maybe some of you can share your ideas or expertise. And maybe I can kick of a discussion about the future plans for SSL.

First off, I have been using StartSSL in the past and was very happy with them and their business model, but since Eddy Nigg has sold Startcom and Mozilla and others have revoked the trust for new startcom certs I have to look of alternatives. Any ideas? What are you using?

The beauty of startcom was that you only paid for the validation, not for the certificate. So I could make as many certs as I liked (and I did). Since we secure our whole infastruture with ssl and since we need certs for many services on each server, we needed wildcard certs anyway.

Now, looking for alternatives I had a closer look at Let’s Encrypt too. I don’t mind paying for certs but on the other hand I like some of the approaches Let’s Encrypt have taken. But they don’t offer wildcard certs. They say you should simply create a cert for each and every domain - which is cool and as soon as everything is fully automated is fine with me.

So if I want, I can create separate certs for all major services, like the panel, imap, pop. smtp and so on. But in the future we will have to secure other services too, like DNS for example. And also, are there any plans for implementing the service certs on Nodeworx via Let’s Encrypt too? And regarding the automation, is there an automated renewal in place right now (for siteworx, where Let’s Encrypt is already implemented) or is it planned? I didn’t find anything about that here…

But all that doesn’t work the way we resp. our clients usually handle domains anyway. The average customer has a few domains in one account and those domains are either redirected or serveraliases. But for serveraliases I can’t install a certificate, or can I? But serveraliases are important in some cases, e.g. in Wordpress multisite installations. The trend is to secure everything in the future and I am all for that. But with the current architecture this won’t be possible, right? Also, switching over to one IP per domain is neither practicable nor affordable, the same goes for creating an account for each domain. So we will still have to have several domains in one account and we will still have to use SNI. How then could we ever secure all domains via SSL?

To give one real world example, a company has 3 different domains company.com, company.fr and company.de. Since the website shouldn’t simply redirect to company.com but rather stay in the respective visitor’s language and domain, we would need to have a certificate for each domain, but the website should be in one account, it actually would be one website in 3 languages and some domain mapping. How can we do that? This problem is not linked to Let’s Encrypt though, it is a general problem I am seeing when thinking about how to handle SSL in the future. And let’s not forget http2 and TLS being made mandatory by most browsers.

Forgive my ramblings, but it helps me to think, if I write it all down and there are indeed a few questions in here too :wink:

TL;DR

[LIST=1]

  • What CA are you using? Any recommendations for a Startcom replacement?
  • Are you using wildcard certs for the server services, do you have separate certs for each or are you running all services over the same domain?
  • Are Let's Encrypt certs automatically renewed in Siteworx? Or do we have to renew them manually?
  • @iworx Is there a plan to implement server/service certs via let's Encrypt too?
  • Is there a way to install certs for serveralias domains?
  • What are your plans regarding making https standard?
  • @iworx Are there any plans to change the current handling of SSL certs and make them per domain and not per account (if possible at all)?
  • @iworx And what are Interworx plans regarding http2? [/LIST]
  • Forgot one more important factor: Google ranks sites with https higher, so SSL is defacto becoming a must for all domains.

    Hi Michael
    I hope your well and good questions
    these are my thoughts, and SSL can only be assigned to domains, not accounts, usually 1 domain holds 1 SSL, but you can get SSL which have nultiple domains assigned to them. However, the issue with this type of SSL, is you have to register every domain, and revoke, renew every time a domain is removed or added I belive.
    1.What CA are you using? Any recommendations for a Startcom replacement?
    I use paid wildcard SSL for server, however for normal domain, LE is fine
    2.Are you using wildcard certs for the server services, do you have separate certs for each or are you running all services over the same domain?
    See above, 1 domain wildcard SSL, but everyone is different
    3.Are Let’s Encrypt certs automatically renewed in Siteworx? Or do we have to renew them manually?
    LE auto renews upon expiry. Please remember though, to use LE, the domain A record must point to your server and the website must be hosted on your server. If either of these change, the LE SSL will not renew or be able to be installed
    [email protected] Is there a plan to implement server/service certs via let’s Encrypt too?
    I am not sure, but do not think an answer would be forthcoming on forums, it maybe part of the roadmap. However, see above, for me, a paid wildcard SSL is better for our needs here, and can last upto 3 years, not 3 Months for LE (please remember, when a SSL cert is renewed, any device which uses it, may kick a notice up to user, thinking more on email services for mobiles etc…)
    5.Is there a way to install certs for serveralias domains?
    Not sure sorry - Good question
    6.What are your plans regarding making https standard?
    This could be automated, but I think it better for the moment to leave as choice for siteworx user to decide
    [email protected] Are there any plans to change the current handling of SSL certs and make them per domain and not per account (if possible at all)?
    LE SSL are per domain and cannot be per account :slight_smile:
    [email protected] And what are Interworx plans regarding http2?
    If your using Centos 7, with Apache 2.4, you have http2 already :slight_smile:
    Yes, google changed to rank https higher, but I think it will take a long time to make every website https compliant, even WHMCS struggled with https/http mismatch pages, but it’s getting there I think.
    Also to note, Cloudflare changed to allow https on free accounts I believe, but could be wrong
    Lastly, IW LE lets you choose the subdomains to cover for SSL, ie www, ftp, mysubdomain etc… it used to show DNS, as in ns1 and ns2, but I mentioned this and it since been removed, bt could easily be added back I believe.
    I hope that helps a little, but would be interested to see other users views
    Many thanks
    John

    Hi John,

    1. may I ask which CA? You don’t have to answer, I am just looking at what others are using. Anyone else’s input is welcome too.
    2. I agree that using a paid wildcard cert for the server services is better, mostly since it can be OV too.
    3. Great, that means LE implementation in IW is perfect
    4. I understand and I tend to do 2. anyway :wink:
    5. Anybody else?
      6: I am generally thinking if it might make sense to offer SSL for all domains inluded (via let’s Encrypt obviously), because most customers don’t know much about https anyway, but making it standard could be a nice USP and could help to make them understand it better.
    6. I am sorry about being unclear here - it also wasn’t that clear in my mind yet :wink: There is one way to have SSL per domain, that is if the domain is set up as a secondary domain. But that is not feasible in some cases, as in my example with a few domains for several languages on one website.
      So the real question is, how can we solve that dilemma, especialy since https might become mandatory in the foreseeable future? Serveralias and a pointer domain as 301 redirect are two important mechanisms for handling multiple domains in one account. Redirects are useful for pointing to the main domain or correcting spelling mistakes (e.g. gogle.com points to googel.com). Since the browser is in fact redirected, it ends up on the main doman or a secondary domain with a SSL cert attached to it. But I think it would be possible to need a SSL cert for other services on that domain (but haven’t thought this fully through yet).
      Serveraliases are important for Domainmapping and Wordpress Mulitisites for example. But for both pointer domain types there is no mechanism to install SSL certs, at least not via Siteworx. Can anybody else think of some way to have SSL certs for those pointer domains?

    Everybody, any input to the topic is welcome. What are your plans regarding going full https, are you using LE, do you rely on one or more CAs and which are those and so on.

    Hi Michael

    Many thanks

    Sorry, I missed that. I use commodo from reseller club through whmcs. It’s a wildcard SSL

    I hope that helps and I think there will be differing CA used by users, probably based on price at the time of purchase/renewal

    Many thanks

    John