Question about using multiple certificates with subdomains

[wknapik]

Hi @alecmuffett,

I need to buy a certificate (or multiple) for an onion site set up with eotk and I'm wondering about the best way to go about it.

The proxy is supposed to cover non-onion domains of the form

• foo.com
• bar.foo.com
• *.bar.foo.com

(but no subdomains other than bar)

I haven't checked yet, but I assume I could buy a single cert to cover all the above cases, or I could get two - one for foo.com and one for [*.]bar.foo.com.

I'm currently testing with just:

hardmap secrets.d/foo.key foo.com

and that works for all subdomains, at all levels (but I only care about the bar subdomain and what's below it). Reading the docs, it seems I should use:

hardmap secrets.d/foo.key foo.com bar

but that conflicts with "you will ignore all hostnames" (bar.foo.com is an address that should work, as well as baz.bar.foo.com).

I'd expect the above to work with one cert. What about multiple? I'm having trouble finding the answer in the docs. Is that supported?

Thanks!

[alecmuffett]

Hi there!

I would recommend researching how Certificates work, but you are shooting in the right direction.

The "dots" are fixed points, so you would need the certificate to cover three domains:

• fooequivalent.onion
• *.fooequivalent.onion OR bar.fooequivalent.onion; from what you say the latter sounds preferred.
• *.bar.fooequivalent.onion

...but (I apologise) I do not know if the HARICA process provides for Wildcard addresses on Onion subdomains, yet. I would be interested to learn how that goes.

You are correct to use hardmap secrets.d/foo.key foo.com bar - because the default "foo.com" rule for EOTK already matches *.foo.com and thus matches bar.foo.com; HOWEVER the only area where one has to become specific about this, is re: purchasing Certificates. :-)

It should (?) be possible to get HARICA to put all three into one cert, but I do not know and have never tried. I recommend contacting them, and please let me know how you get on.

Digicert would certainly be able to offer an EV cert for these three, but that would be expensive.

Hope this helps.

[wknapik]

Hi @alecmuffett,

Thanks a lot for getting back to me. My question was primarily about whether eotk can work with multiple certificates in one project.

I see two reasons to get multiple instead of one. One would be if Harica doesn't support all those domains on one cert for onion addresses (that doesn't seem too likely, but I haven't checked yet), the other is the case where over time you realize you need to support more domains that aren't already covered by a wildcard.

It seems probable that the latter will happen in my case, so I'm wondering if I'll be able to deal with that without replacing the cert I got in the first place. Would I be able to add more certs to the eotk project to cover the new subdomains?

I know with bare nginx that's no issue, but I'd rather not deal with the problem on that level. So is there an eotk-level answer to this?

Thanks!
WK

[maxpearl]

Harica does allow for certs that include:
foonumber1.onion
*.foonumber1.onion
*.bar.foonumber1.onion
*.baz.foonumber1.onion.

You can't however get:
*.foonumber1.onion
*.bar.foonumber1.onion
*.foonumber2.onion

Anyway, an EOTK level solution to a situation where there are multiple onion certificates for multiple domains as well as subdomains in one project would be welcome!