New system for handling externally endorsed certificates
Currently, the platform only has the concept of a single externally endorsed certificate, or "commercial" certificate.
This is a problem, because in reality the model for the platform is that there is a many to many mapping between nodes and domains: each node can have any number of domains, and each domain can be applied to any number of nodes.
One bad solution is to try to pack every possible domain needed by every node into a single certificate, loading up the subjectaltname. This is not good, because it make renewing these certificates tricky: you must have an IP that is included in all the domains, but this might totally screw up how you have your infrastructure designed.
The good solution is this: instead of a single commercial certificate, the platform must support separate commercial certificates, each renewed and deployed independently.
What needs to change:
-
the platform must not have a single path for commercial certs/keys. e.g.
/etc/x509/keys/leap_commercial.key
. -
on the provider directory, each domain should have a separate file in
files/cert/DOMAIN.[crt|key]
-
when deployed, each commercial certificate gets its own file on the server in
/etc/x509/[keys|certs]/DOMAIN.[key|crt]
. -
leap_cli should be modified to automatically try to renew all the certs in
files/cert
that have been previously created by LE.
(from redmine: created on 2016-12-13)