I’m using brilliant SWAG container for reverse proxy with letsencrypt. Until now everything worked perfectly.
However now I have one concern regarding security. Whenever I create a multiple subdomains (e.g.
sub3.example.com) I can see all of them in certificate info under the SAN. But there are also some subdomains that I’d like to hide, or about which only I should know. So if anybody looks on certificate details he shouldn’t see them. I don’t think this is possible to do with SWAG, or if it is can somebody please tell me how to do so?
So for problem above, there could be a solution to generate wildcard certificate, however currently certbot supports only small number of dnsplugins. For example I’d like to generate wildcard cert for gransy.com provider. For sure there is some option how to write the plugin, but for me it would be difficult. There is one tool dehydrated which supports multiple dns providers and new are being added. So it would be nice if we can have option to switch between certbot or dehydrated, or we can have container similar to SWAG which will utilise dehydrated.
What do you think?
It’s not security, it’s really privacy. But then again, it’s a false sense of privacy.
Keep in mind that letsencrypt publishes all certs issued publicly, so once you get a cert, your domain is publicly listed. Anyone checking the dns records (or via public reverse ip look up) can figure out which domains are hosted on the same server. Having separate certs protects you from none of that.
We have no plans of implementing separate certs with swag as it pretty much breaks the automation and the standardization we have.
You’re better off retrieving and managing the second cert manually via certbot, dropping it somewhere in the config folder and referencing it in the nginx confs.
@aptalca thank for quick response. I didn’t knew about that and I think the best solution would be to create wildcard for this, so I can hide anything under
What about that Dehydrated tool? Would you consider such option to provide also plugins for other dns providers? I think there’s also Lexicon which is probably also used by Dehydrated that could be useful.
Yes, indeed, wildcard does provide some privacy through obscurity as it masks all actively used subdomains in both the cert and the dns records.
We looked at acme, but at the end of the day, we’ve been using certbot, which was the official letsencrypt client, from the start and it is so entrenched into our automation, it would take a lot of effort to switch to something else for little gain. And official vs 3rd party is a big consideration in this case.
@aptalca and can you think of providing custom certbot dns plugin in SWAG? I found this issue so probably I can try to create a plugin that way, but I’d like to know whether that won’t be a pain to integrate it in SWAG.
edit: don’t know why forum is marking my posts as spam…because of links to github?
You can always create a third party dns plugin for certbot. We added support for several of those in swag, like this one: https://github.com/hsmade/certbot-dns-transip