Multiple domains and/or wildcard domains possible with offical VM?

Hey @enoch85 and all others :wink:

I am trying and testing the official VM … and am loving it so far (wow it really speeds up on the same hardware I had the other VM running before. Maybe it’s due to NC 22 running now… I dunno but it’s awesome! :star_struck:)

so I came across the TLS-option in /var/scripts/menu.sh and was wondering:

  • does it deal with wildcard-domains… such as *.example.com
  • can you apply for several domains at once? like cloud.example.com and cloud.example.org at the same time? If yes, how?

I couldn’t find any information about that very point. Except that I know that it would work in general. I just don’t know how or if it woud work with your routines.

Keep the good work up and thanks for all the great work you did so far
JK

1 Like

Hey Jimmy!

Great that you like the speed! We worked quite a lot to make it faster actually.

Sorry, no wildcard domains afik, never tested actually, but shouldn’t work

The script is only designed to add one domain at the time. You could the manually add more by executing the TLS part standalone, and copy the Apache config from the original one.

Thanks!

1 Like

btw: wouldn’t that (multiple domains, if not wildcard domains) be a perfect idea to improve your setup-menue? :wink:
since you’d need more than one cert if you’d install turnserver, though

Hmm, yeah maybe that would be something to add. Question is why? It would only benefit those who wants to setup a multi-tenant environment, and in that case they should get a license anyway.

All the app-scripts already installs their own certs. OnlyOffice Docker, Collabora Docker, Talk, and so on. They have their own since all the configurations differ from each other.

If you have time left on your hands, and want to be a part of the VM - please add your PR for improvements you think make sense, the basics are already in place and you could almost just copy paste existing code… :slight_smile:

Have a nice weekend!

if only I could code :frowning:

Using wildcard certificates instead of individual certificates for each service would have the advantage that the subdomains would not be publicly known.
In combination with the DNS challenge from Let’s Encrypt, users who want to use their cloud only locally, could still get a signed certificate without making the names of the services they use with their domain publicly known.

1 Like

I didn’t know it was possible to add wildcard domains with LE. :thinking:

Do you have a link?

Yes, it is possible. But it only works with the DNS challenge, which means that a DNS TXT record has to be created every time you want to issue a new certificate or renew an existing one. You either can do this manually…

https://cloudness.net/certbot-dns-challenge/

or you can automate it via the API of your DNS provider. There are plugins for most of the popular DNS-providers and acme clients…

https://go-acme.github.io/lego/dns/

https://certbot.eff.org/docs/using.html?=dns#dns-plugins

…but i’m not a developer and therefore don’t know how you would have to integrate this into the VM in a user-friendly way, and how much effort it would be to maintain an up-to-date list of DNS providers.

I use *.local.mydomain.tld with HAProxy on my pfSense. This allows me to connect to local services that are not publicly accessible, or don’t even have an internet connection, with a signed certificate, which I find is very nice. :slight_smile:

We already do DNS validation with deSEC TLS. It’s automated, and it’s actually reeaally smooth. :ok_hand:t2:

We also already do it for the “regular” LE, but that’s a manual procedure if all else fails.

But yeah sure, maybe we could add something similar for LE as with deSEC, which is an automated hook script.

Time will tell. I’m open for PRs. :rocket:

2 Likes

@enoch85 time to reopen this subject to find out if you found time to tinker around with that a bit… did you?

Sorry no, not yet. Been a pretty “calm” year developing wise. Everything is stable and I intend to keep it that way.

Just got a new job offer which means I will work more with Nextcloud from next year, but probably not the community so much and since Nextcloud doesn’t promote our VM anymore I feel very un-motivated to be honest.