1

On our server (Apache/Ubuntu18) we have a web app running which is a multi-tenant web app. So for every new client there will be a new tenant setup and it will create a new subdomain. So:

Webapp/Vhost: domain.com

ClientA: A.domain.com (But want to access the app through their own company url. So A.nike.com) ClientB: B.domain.com (But want to access the app through their own company url. So A.adidas.com)

Etc etc.

Because they want to use their own company URL, we did setup a wildcard SSL certificate for our web app and every time a company needs to be added to this list we will need to run Certbot to add and verify the domain to the list. But this is really a pain because like this we need to ask clients to add TXT records every time when we need to renewal the certificate.

Would it be possible to separately create SSL certificates for each company url, and configure the app/vhost to handle these certificates? So no wilcard ssl anymore but a ssl certificate for each company

DennisKr
  • 11
  • 1

1 Answers1

0

In any case, they need to point their A.nike.com and A.adidas.com to your server to be able to use their own domain name. So both HTTP-01 and ALPN-01 challenges are available for checking these names.

The problem is, you want to use a wildcard certificate and it requires a DNS-01 challenge. It is impossible to specify more than one certificate (of same algorithm) in the single virtualhost.

To overcome this, you may manage your wildcard virtualhost as you did and use DNS-01 challenge for its certificate. Don't add any external hostnames into that virtualhost.

Then, create one additional virtualhost with same settings, but for all external hostnames (the ones like A.nike.com). It will use another certificate, which you will maintain using HTTP-01 or ALPN-01 challenges, which is sufficient, because there are no wildcards in its certificate, and their DNS already point to your server.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • First of all I do want to thank you for your answer. So what you are saying is to keep the original vhost but have a wildcard ssl setup for that one (only *.domain.com) and then for the other domains, I should setup an additional virtualhost? I am really a server noob in this area so if I may ask, how would I do this? I should create another config file somewhere, point it to the same documentroot as the first one and then enable it? – DennisKr Jun 22 '22 at 20:24
  • This depends on how exactly your configuration is laid out. In most cases, virtualhost definitions go somewhere like `vhosts.d` or `sites-enabled`, so you can just copy that file and change some parts of it. And yes, you point it to the same document root, add the same aliases and other features. Only server names and certificates should be different. If you are concerned in duplication (like me), extract all common parts into some file and include it into both virtual hosts; on some systems a default virtualhost is laid out like this, so you probably can use it as the example. – Nikita Kipriyanov Jun 23 '22 at 04:46