Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • IT Tickets IT Tickets
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 40
    • Issues 40
    • List
    • Boards
    • Service Desk
    • Milestones
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • OSE Germany e.V.
  • Koordination
  • IT
  • IT TicketsIT Tickets
  • Issues
  • #32

Closed
Open
Created Oct 18, 2020 by Andre Lehmann@aisberg🏯Owner

Wildcard TLS Certificates (+ DNS using DNSec)

Problem to solve

Currently we create a TLS certificate for each of our services. As it our platform grows, the more certificates will be in use. There are certain limits imposed by Let's Encrypt on how many certificates can be re-issued and therefore it might be beneficial to keep the amount of certificates as low as possible. To do so, we could use a wildcard certificate. Problem is, we currently cannot create such a certificate, because it requires a DNS nameserver with an API, which we don't have.

Intended users

  • Everyone browsing our services

Proposal

An option might be to use an external nameserver while still keeping our Domain registrar. For example we could use the service deSEC, which offers an API, DNSec and hosting in Germany. With this, it should be possible to create wildcard certificates over Let's Encrypt.

Further details

A use cases might be:

  • Use a single wildcard certificate (*.opensourceecology.de) for the gros of our public services and maybe another on for administrational services.
  • With DNSec we might also be able to use encrypted-sni with TLS v1.3

Additional Resources:

  • https://administrator.de/forum/funktioniert-subdomains-fritzbox-537565.html#comment-1420979
  • https://blog.cloudflare.com/encrypted-sni/

Documentation

Other links/references

Edited Oct 18, 2020 by Andre Lehmann
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking