Single server, multiple websites, SSL certificates - is there an SSL limit?

Discussion in 'Installation/Configuration' started by jnewman67, Aug 17, 2021.

Tags:
  1. jnewman67

    jnewman67 Member HowtoForge Supporter

    I've searched and can't find a definite answer, and keep getting "multiserver" answers - not what I'm looking for.
    I saw some posts indicating that there can only be one SSL certificate per IP address on a server in several posts last night, but it seemed that might have been true for ISPConfig versions prior to 3.2 (the 3.1 manual states this as well). I'm guessing that's changed in ISPConfig 3.2, but I can't find it documented anywhere specifically, but I see posts referencing the capability.
    Could someone please explicitly state how SSL certificates are used in ISPConfig 3.2, what limits there are (one website, each website, some websites, etc.), what services will use the certificates and which won't, and the preferred mechanism/service used to create them and renew them. It's possible I misread something, so setting me straight there would be nice if that's the case.
    Sorry, but I just can't find anything stating all this in one place - if it's already been asked and answered, a link would be great.
    Thanks.
     
    jnewman67, Aug 17, 2021
    #1
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Ispconfig will configure the web server to use many certificates on a single ip address. Configuring any other service to do that would have to be done manually. I have done so with postfix and dovecot as a point of reference, and I believe someone was working on setting up pure-ftpd to do so just recently (eg. last 2 weeks), so it can be done, but it's not configure for you.
     
    Jesse Norell, Aug 17, 2021
    #2
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can have "unlimited" certificates on one IP, for different hostnames. Of course, Let's Encrypt has some rate limits that limit how many certificates you can request/renew, but ISPConfig will check if a hostname can be reached before calling Let's Encrypt, so the chance of hitting it is low. https://letsencrypt.org/docs/rate-limits/

    You let the installer request a certificate for your hostname to use for Postfix, Dovecot, and Pure-FTPd, though I use this way for the first 2: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
     
    Th0m, Aug 17, 2021
    #3
  4. jnewman67

    jnewman67 Member HowtoForge Supporter

    Th0m, thanks for the response. I apologize, but your solution partially adds to my confusion...
    i understand the addition of the second website and the alias domains - that's to generate an SSL cert for those names.
    but if the server name is isp.example.com, and my website domains are example1.com and example2.com, and I will access mail at mail.example#.com respectively, your solution appears to overwrite the server certificate with whichever domain had the last mail. cert generated.
    Am i reading something wrong?
     
    jnewman67, Aug 17, 2021
    #4
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, Postfix and Dovecot use the same certificate that you set up using that guide. I am telling you that you should let them connect to mail.companyname.com instead of mail.clientdomain.com. You can follow that guide to create a certificate for mail.companyname.com (or imap.companyname.com and smtp.companyname.com which is best practice imo)
     
    Th0m, Aug 17, 2021
    #5
  6. jnewman67

    jnewman67 Member HowtoForge Supporter

    understood (to clarify, you were using "companyname.com" for my "examle.com" and "clientdomain.com" for my "example#.com" domains, i believe)
    I'm not sure I agree that "best practice" is for all clientdomain users to head over to mail.companyname.com to access their email but that may be because I've been doing it the other way around for 15 years, and have 100's of existing email users that I would have to reconfigure if I wanted to reset their settings to mail.companyname.com :)
    But your way would simplify things if it were done that way up-front.
     
    jnewman67, Aug 17, 2021
    #6
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Indeed, this was considered by many as best practice in the past. I prefer to use one hostname so users don't have to change the settings for such changes and it is less work for you to maintain (e.g. when you have a IP change). And by using separate imap. and smtp. domains, you can spread those services over separate servers without end-users having to change settings when you do that.
     
    Th0m, Aug 17, 2021
    #7
  8. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    That's an interesting thought Th0m, if you had time would you write a guide for setting up to run imap and smtp separately in a multi server configuration. It could be useful for some. I have never done it so would not know where to begin or I would write a guide myself.
     
    Chris_UK, Aug 22, 2021
    #8
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    There are several ways to accomplish this... A easy option is already described in the multiserver guide: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/
    You could point smtp traffic to the first mailserver and IMAP/POP3 traffic to the secondary server, the sync between the servers will be done by Dovecot.
     
    Th0m, Aug 22, 2021
    #9
  10. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    That's interesting to know.
    I was thinking it could be a layer of security for your postfix server, but needing an A record negates that Idea.
     
    Chris_UK, Aug 22, 2021
    #10

Share This Page