Skip to content

Allow subject alt names for letsencrypt certs

Pixelated uses mail.DOMAIN as url. We would like to issue letsencrypt certs for this domain as well. Currently the pixelated user-agent shares the one cert with the webapp and therefore would need an additional subject alt name mail.DOMAIN in the cert.

I see these options:

  • Make leap_cli support SANs for the one cert
  • Use a second cert for mail.DOMAIN (introduces a second expiry date, more hassle for the admin)
  • Serve pixelated under DOMAIN/mail i.e. using apache mod_proxy (I tried and it isn't straight forward unfortunately).

For what I saw the whole acme integration is based on the main domain, i.e. from lib/leap_cli/commands/ca.rb:

acme = Acme.new(domain: domain, key: account_key)

which would need some work to integrate SANs.

(from redmine: created on 2016-10-06, blocks #3924)