0

I'm using Let's Encrypt for my Google App Engine site, so I'm generating certificates only, and while it's working, the process for verifying multiple domains seems clunky. I presume I'm doing something wrong, maybe I'm missing an optional argument? I'm following this guide, and starting as:

sudo ./letsencrypt-auto -a manual certonly

In the GUI I enter two domains

mydomain.com www.mydomain.com

The process from there, as far as I can tell is..

  1. GUI prompts me to agree to something
  2. The command line shows me the challenge request and response for mydomain.com
  3. I deploy the challenge response code to my site
  4. I hit Enter
  5. A challenge request is made to mydomain.com (I can see from my logs)
  6. The GUI again prompts me to agree to something
  7. The command line shows me the challenge request and response for www.mydomain.com
  8. I deploy the challenge response code to my site
  9. I hit Enter
  10. A challenge request is made to www.mydomain.com (I can see from my logs)

Then my certificates are made, and everything works. But I had to deploy twice, at step 3 and step 8. In my case www.mydomain.com and mydomain.com are served by exactly the same request handlers, so I'd much rather be told the challenge request/response text for both domains at step 2, so I can add both request/responses to my code at once, and then deploy once. This problem (and variants of it) get worse with a greater number of domains.

Is there a way to get LetsEncrypt to give all the challenge text at once? If not, I'll file this as a feature request, but right now I'm assuming I've just missed something.

thanks

tom
  • 111
  • 3
  • 1
    You've intentionally eschewed the automated and semi-automated ways of doing this, and gone with the laborious manual process, despite all the warnings. Now you know why you were warned against it. Do you have a good reason for doing this the laborious manual way? – Michael Hampton Mar 10 '16 at 23:36
  • "Don’t press enter until you create a handler for each request." so you ignored the instructions. – user5870571 Mar 10 '16 at 23:48
  • @MichaelHampton :) My site is hosted on google app engine, and far as I know, this is the only way to do it on GAE (based on the research I've done, and the article linked to in the first paragraph). But if there is an easier way to do it then I'd love to know! – tom Mar 10 '16 at 23:49
  • 1
    Hm. That would have been a useful thing to mention in your original question. It probably makes a big difference. – Michael Hampton Mar 10 '16 at 23:51
  • @user5870571 I did not ignore the instructions - what I'm saying is that it does not show me the challenge text for the second domain until after I've completed all the step for the first domain. Or if it is showing it, I can't see it. Is there a way to not use the GUI, and just do everything at the command line? Seems that the GUI may be getting in the way? – tom Mar 10 '16 at 23:51
  • @MichaelHampton good point. I added that detail. It's mentioned in the link I posted, but that was too obscure for sure. – tom Mar 10 '16 at 23:53
  • Apologies, I misunderstood what you were asking. To address what you are trying to do take a look at http://igorartamonov.com/2015/12/lets-encrypt-ssl-google-appengine/. It seems that GAE does not have an automated process to do this currently. There is even an open feature request to automate the certificate generation process for GAE at https://code.google.com/p/googleappengine/issues/detail?id=12535. – user5870571 Mar 10 '16 at 23:59
  • @user5870571 Accepted! Thanks for that link, but I already have it working just fine, it's just that the process is clunky for *multiple domains*, which is something that the link you supplied does not actually deal with. This question is purely about the chunkiness of multiple domain authentication. – tom Mar 11 '16 at 00:05

2 Answers2

1

Then my certificates are made, and everything works. But I had to deploy twice, at step 3 and step 8. In my case www.mydomain.com and mydomain.com are served by exactly the same request handlers, so I'd much rather be told the challenge request/response text for both domains at step 2, so I can add both request/responses to my code at once, and then deploy once. This problem (and variants of it) get worse with a greater number of domains.

This is how Let's Encrypt is designed to work. Let's Encrypt certificates are SAN certificates, hence you can bundle several hostnames in a single certificate. Hostnames can belong to the same domain, or completely different domains.

Regardless their correlation, Let's Encrypt validation mechanism requires you to create an authorization (and then validate it with one of the corresponding challenges) for each single hostname in the system.

Since the process is designed to be fully automated, this is generally not an issue. However, in your case you are handling the process manually (which is the opposite direction than the one suggested by LE) hence the process can be very verbose and annoying.

Is there a way to get LetsEncrypt to give all the challenge text at once? If not, I'll file this as a feature request, but right now I'm assuming I've just missed something.

Not that I know.

My site is hosted on google app engine, and far as I know, this is the only way to do it on GAE (based on the research I've done, and the article linked to in the first paragraph). But if there is an easier way to do it then I'd love to know!

One possible alternative is to use the DNS based validation. The official LE client doesn't support it yet, however there are several third party clients you can use.

One of my favourite is the Go client LEGO. Lego has built-in supports for DNS providers. It means you can request a certificate via Lego, and easily use Lego to create the DNS records required for the validation process without doing it manually.

This is a good alternative in your case, because it works very well with your Google App Engine (assuming your current DNS provider supports API-based DNS record changes).

Simone Carletti
  • 1,524
  • 3
  • 15
  • 30
-2

Use DNS validation.

I can creates =hundreds= of certificates at a time using this way, no problem at all.

Harry Sufehmi
  • 1