Hi! You have done an amazing job with the automatically created LE certs for the server and all the sites setup. This is really so helpful! I do have a questions so regarding the server hostname and potentially getting a automated LE for a subject alternate name: I have setup ISPConfig and used a FQDN for the server: webserver.example.net. This of course creates the LE certificate for webserver.example.net. My primary domains is example.com and that's what I host as a website. example.net is just a "service" domain that is NOT hosted on the server and is just used for other DNS related configs, e.g. pointing to the webserver. Now as described in other posts for Mail when you setup your clients you should not use something like "mail.example.com", on your hosted domain, because that redirects to webserver.example.net, in my case, as the underlying server name and this throws an encryption error. So to solve this you use webserver.example.net in your mail client configuration. Now this all works but it would be nice if I could use something more mail related for client configuration, for example mail.example.net or imap.example.net and smtp.example.net. Question: Is there a possibility to define a subject alternate name for the ISPConfig FQDN name so the Let's Encrypt certs for the these get automatically created? Note: I realize I can manually edit the /root/.acme.sh/webserver.example.net/webserver.example.net.conf file and put the desired subject alternate names in there but I am not sure if this get's overwritten again or is this save to do?
Thank you. I saw that threat earlier but I somehow had in the back of my mind that you shouldn't host the domain that you're using for your server as a hosted domain on that same server. That's why I have a separate domain, example.net, instead of example.com. But anyway if that's the way you work around this I'll do that, no issue. Out of interest: Can you manually change anything in the /root/.acme.sh/<domain>/<domain.conf> files or does that get overwritten?
That's not about the domain, it's about the exact subdomain match. The hostname of a server shall be a subdomain anyway and you should not use e.g. example.com as hostname when you want to have a website example.com, instead, you use e.g. server1.example.com as hostname, and then that's perfectly fine. I have not tried that, might get overwritten by updates or a new cert might get generated when there is no exact matching cert.
Yes, to my knowledge you definitely can change the renewal conf. On whether it may or may not be overwritten will depend on what you do. If for example you force create new LE certs for that domain, it will rewrite it using new parameters that you use, however, if you simply renew the certs, it will use the parameters in it and won't overwrite it. The best is for you to test this yourself as my notes may not be up-to-date or may be lacking some empirical evidences.
