diff options
| author | Paul Buetow <paul@buetow.org> | 2025-11-02 22:54:20 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2025-11-02 22:57:53 +0200 |
| commit | be8fb140bc61e9a12f96f049c3f64bbb6471ee92 (patch) | |
| tree | 45b6ab520ea0b79a60d70ce5d58fd026be2a3595 | |
| parent | 6060da46c86680eaf1d2a10c2af829b7dba12475 (diff) | |
use www.* as alt name in certs
| -rw-r--r-- | frontends/etc/acme-client.conf.tpl | 14 | ||||
| -rw-r--r-- | frontends/etc/relayd.conf.tpl | 7 | ||||
| -rw-r--r-- | frontends/scripts/acme.sh.tpl | 8 |
3 files changed, 18 insertions, 11 deletions
diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl index b52f5b0..6d0e2df 100644 --- a/frontends/etc/acme-client.conf.tpl +++ b/frontends/etc/acme-client.conf.tpl @@ -24,13 +24,17 @@ authority buypass-test { } <% for my $host (@$acme_hosts) { -%> -<% for my $prefix ('', 'www.', 'standby.') { -%> -domain <%= $prefix.$host %> { - domain key "/etc/ssl/private/<%= $prefix.$host %>.key" - domain full chain certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" +domain <%= $host %> { + alternative names { www.<%= $host %> } + domain key "/etc/ssl/private/<%= $host %>.key" + domain full chain certificate "/etc/ssl/<%= $host %>.fullchain.pem" + sign with letsencrypt +} +domain standby.<%= $host %> { + domain key "/etc/ssl/private/standby.<%= $host %>.key" + domain full chain certificate "/etc/ssl/standby.<%= $host %>.fullchain.pem" sign with letsencrypt } -<% } -%> <% } -%> # For the server itself (e.g. TLS, or monitoring) diff --git a/frontends/etc/relayd.conf.tpl b/frontends/etc/relayd.conf.tpl index 1900c0b..68b9e80 100644 --- a/frontends/etc/relayd.conf.tpl +++ b/frontends/etc/relayd.conf.tpl @@ -22,9 +22,10 @@ table <localhost> { } http protocol "https" { - <% for my $host (@$acme_hosts) { for my $prefix (@prefixes) { -%> - tls keypair <%= $prefix.$host -%> - <% } } -%> + <% for my $host (@$acme_hosts) { -%> + tls keypair <%= $host %> + tls keypair standby.<%= $host %> + <% } -%> tls keypair <%= $hostname.'.'.$domain -%> match request header set "X-Forwarded-For" value "$REMOTE_ADDR" diff --git a/frontends/scripts/acme.sh.tpl b/frontends/scripts/acme.sh.tpl index 8d30609..b3301fa 100644 --- a/frontends/scripts/acme.sh.tpl +++ b/frontends/scripts/acme.sh.tpl @@ -44,12 +44,14 @@ handle_cert () { has_update=no <% for my $host (@$acme_hosts) { -%> -<% for my $prefix ('', 'www.', 'standby.') { -%> -handle_cert <%= $prefix.$host %> +handle_cert <%= $host %> +if [ $? -eq 0 ]; then + has_update=yes +fi +handle_cert standby.<%= $host %> if [ $? -eq 0 ]; then has_update=yes fi -<% } -%> <% } -%> # Current server's FQDN (e.g. for mail server certs) |