You could have different subdomains, e.g.
pbx1.ibcaccess.net
pbx2.ibcaccess.net
pbx2.ibcaccess.net
And each could have a unique certificate. But then each Astlinux box would
need to have the login credentials for ibcaccess.net at whatever DNS
service you are using. You might not want that.
Alternatively you could get a wildcard certificate for
*.ibcaccess.net
And deploy the same certificate to all Astlinux boxes even if they have
different subdomains. However I think that our version of Acme client will
need to be updated to support that (probably not much of an issue, we've
been waiting for things to settle down a bit on the wildcard support).
Acme does not have wildcard support for all DNS services, so would need to
check on that. But if you have a lot of Astlinux boxes with *.example.com
then this is probably much easier to manage. You would request the
certificate at one Astlinux box and use the ssh deploy script to push
updated certificates out to every other one.
David
On Fri, Jun 15, 2018 at 8:57 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com>
wrote:
> Hi Michael,
>
> Yes, ACME (Let's Encrypt) Certificates is the solution.
>
> You need a DNS provider supported by acme-cleint (acme.sh) that is able to
> prove DNS record ownership.
>
> There are two ways to go here:
>
> 1) Create an account with a supported DNS service using the services's
> domain, such as https://www.duckdns.org/ , this is no cost for up to 5
> DNS records but they must be of the form <unique>.duckdns.org though a
> lot of the common ones have been taken. Your username and assigned token
> is used to validate ownership of your DNS record. Donate something and you
> will receive 10 DNS records. DuckDNS is only one such example.
>
> 2) Register your own domain (yearly cost) then create an account with a
> supported DNS service using your domain, Cloudflare's free account supports
> this. This is what I personally do.
> After you have a domain registered you need to set it's nameservers to
> point to Cloudflare's as instructed.
>
>
> > I currently have a domain that I use to access all my systems (
> ibcaccess.net). Can I use this?
>
> For security reasons, I would use a separate domain and account for my
> ACME (Let's Encrypt) Certificates, that way if your DNS API credentials got
> loose your core DNS infrastructure on a different account won't get
> compromised.
>
>
> > Would the customer need to access the Astlinux GUI using this domain?
>
> Yes, if you generated an ACME (Let's Encrypt) Certificate for host
> pbx4.example.org the user's DNS must resolve pbx4.example.org to the
> service in question. Though if all the users are behind AstLinux you can
> define pbx4.example.org in { Configure DNS Hosts } -> "DNS Forwarder
> Hosts:" to the local server. In general there does not need to be a public
> A record for pbx4.example.org if all the users are local.
>
> To be clear, the example.org DNS (domain for pbx4) must be publicly
> available for acme-cleint (acme.sh) to issue a valid certificate.
>
> Hope that helps.
>
> Lonnie
>
>
>
> > On Jun 15, 2018, at 1:23 AM, Michael Knill <michael.knill@ipcsolutions.
> com.au> wrote:
> >
> > Ok after reading the doco page and Lets Encrypt and ACME Protocol pages,
> I realise that I don't really know what I am doing 😊
> >
> > The Problem:
> > I am now providing more regular access to the Astlinux Admin interface
> to customers and the certificate error is not a good look. You can store
> the Self Signed Certificate with Firefox but Chrome does not let you now.
> >
> > The Solution:
> > ACME (Let's Encrypt) Certificates with DNS.
> > Problem is that I don't know what I need and how to do it.
> > I currently have a domain that I use to access all my systems (
> ibcaccess.net). Can I use this?
> > Would the customer need to access the Astlinux GUI using this domain?
> Would I need to use a subdomain for the internal address?
> >
> > Im just confused sorry. I am obviously too much of a noob regarding this
> stuff.
> >
> > Regards
> > Michael Knill
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
