Letsencrypt DNS challenge CN and SANs on renewal certificate

News and views, and should we control them?

Moderator: embleton

Post Reply
User avatar
embleton
Site Admin
Posts: 771
Joined: Sat Aug 02, 2014 2:40 pm
Location: Plymouth
Contact:

Letsencrypt DNS challenge CN and SANs on renewal certificate

Post by embleton » Sat Jul 14, 2018 1:35 pm

I have SSL certificates that have been issued for a CN and SAN that have the CN and SAN domain names reversed. The CN=embleton.me.uk and SAN=embleton.me.uk & mental.me.uk which is unique on each IPv6 address but the SAN points to another host on an IPv6 address.

The mirror is on CN=mental.me.uk and SAN=mental.me.uk & embleton.me.uk The acme are on the same path and certificates too on each unique website server machine that is in a MySQL mirror. The servers are in a MySQL master to master replication for a database that is used the same for both servers. It is a phpBB that is live mirrored.

Only 1 of these server has an IPv4 address for I only have one of those behind a NATed connection and this can be switched around for bringing in a replacement during maintenance on the mirror which has certificates which must be mirrored but the CN name is different on each certificate apache website server. The OS is Ubuntu for both servers.

It would be a pain to alter the DNS records when certificates need renewal but during the setup process, this was done. And it would be a pain having to copy certificates between servers, I'd like the process to be automated when renewal comes around. This may not be an issue but maybe for it was first when setup initially.

Am I going to run into an issue when automatic certificate renewal occurs on each server?

User avatar
embleton
Site Admin
Posts: 771
Joined: Sat Aug 02, 2014 2:40 pm
Location: Plymouth
Contact:

Re: Letsencrypt DNS challenge CN and SANs on renewal

Post by embleton » Sat Jul 14, 2018 7:48 pm

It would seem that letsencrypt community doesn't understand the issue for it will now need to wait until embleton.me.uk needs a renewal to see if it breaks certbot, and the renewal of the certificate with both DNS names but different common names. Whether it has 2 certificates issued today doesn't matter for 1 has been restored on embleton.me.uk to an earlier date. 53 days for embleton.me.uk common name to expire and 89 days for mental.me.uk common name to expire on IPv6.

The helper on the community was more interested in the fact 2 certificates were issued today rather than answering the question so asked, bloody idiot! I'd rather talk to a computer smart speaker than a human idiot and I wish I'd not asked the question and just wait for certbot to do the job for an answer. I'm not going to manually copy a certificate and private key to a mirror unless absolutely necessary for an automated system is more useful and may actually work if the current certificate is the authorisation. And I don't like the idea of copying a private key around because that is a silly idea over symmetrical encryption with ssh. :o

And, by the way, the common name cannot be reported differently across the web its encrypted in the certificate for those on my websites on IPv6.

Post Reply