Skip to content

Commit

Permalink
Improve "Certificate for subdomains excluding apex domain" section
Browse files Browse the repository at this point in the history 
* Remove "I want a" from title :)
* The ACME severs is unspecific.
* `pki_acme` is unrelated to this section.
* Comments after YAML variables might case problems in certain YAML
  modes and should thus be avoided.
* Use the more specific term "apex domain" as already suggested by
  @drybjed in: debops#82 (comment)

Related to: debops#82
Wanted confirmation from: @ser, @drybjed
  • Loading branch information
@ypid
ypid committed Sep 6, 2016
1 parent 2af3fd1 commit 1a2c686
Showing 1 changed file with 14 additions and 13 deletions.
27 changes: 14 additions & 13 deletions docs/acme-integration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,31 +155,32 @@ configuration active, it will check for validity of the signed certificate, and
about a month before the expiration date it will try to renew the certificate
automatically.

I want a certificate for subdomains but domain
----------------------------------------------
Certificate for subdomains excluding apex domain
------------------------------------------------

Yes, it's possible :-) Please consult the example and create your own similar
configuration. In the example we create a certificate for ``logs.example.com``
and ``mon.example.com`` subdoimains, without creating cert for ``example.com``
domain itself. Please notice that PKI realm does not contain your full domain
name, it's crucial.
configuration. In the example we create a certificate for the ``logs.example.com``
and ``mon.example.com`` subdomains, which does not include the ``example.com``
apex domain. Please notice that the PKI realm does not contain your full domain
name. This is crucial.

This comment has been minimized.

Sign in to view

Copy link
@drybjed

drybjed Sep 6, 2016

I think that the realm can be named afer one of the included domains (not the apex, but a subdomain), then nginx should be able to pick out the correct realm based on that domain. But I'm not sure if the script correctly filters out duplicates in the generated requests - I believe so.

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid Sep 6, 2016

Author Owner

I agree. @ser, can you test this?

.. code-block:: yaml
pki_acme: True
pki_realms:
- name: 'example' # do not include full domain name here!
# Do not include the full domain name here!
- name: 'example'
acme: True
acme_default_subdomains: []
acme_subject: [ 'cn=logs.example.com' ]
acme_domains: [ 'logs.example.com', 'mon.example.com' ]
domains: [ 'logs.example.com', 'mon.example.com' ]
#acme_ca: 'le-staging'
# acme_ca: 'le-staging'
For testing it's strongly advised to uncomment ``acme_ca`` with ``le-staging`` to
use testing ACME servers. It does not create a real cert, but allows you to avoid
problems with usual ACME servers rate limits. When you are sure that everything works
correctly, comment the staging environment back.
For testing it's strongly advised to uncomment ``acme_ca`` with ``le-staging``
to use the staging environment of Let's Encrypt. It does not create a trusted
certificate and allows you to avoid problems with the rate limits in the
production environment. When you are sure that everything works correctly,
comment the staging environment back.

ACME configuration variables
----------------------------
Expand Down

0 comments on commit 1a2c686

Please sign in to comment.