Re: SSL and reverse proxy and multiple certificates/domains - SUCCESS!

[Pete Helgren <pete@xxxxxxxxxx>]

Yep...didn't really have to mess with the vhost instances, just the 
front end reverse proxy and all I had missed was the SSLServerCert...so 
simple and yet....

So the way I use LetsEncrypt is I have DCM generate the CSR and then I 
use a Java based ACME client to generate all the rest of the steps. Then 
I import the certificate back into DCM.   I have it pretty well 
scripted, except ofr the import,  and I have some assurance from IBM 
that an API to generate the CSR and an API to import/renew the 
certificate will be available soon.  That will allow me to automate the 
whole process and make renewals a snap.

I can't remember if there was an issue with SAN or not.  The latest 7.2 
DCM version does have a place to add them when requesting the CSR.

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek  IBM_i_Geek

On 8/31/2018 3:30 PM, Bradley Stone wrote:
> So, the only place the SSL information is placed is in the proxy instance?
> The other instances are just simple without needed anything else?  That's a
> bonus if that's correct.
>
> BTW, I was working with LetsEncrypt for a customer who needed a short time
> SSL cert until they get to V7R3... well, I did the CSR and it didn't give
> me a certificate with the subject alternative names as domain.com and
> www.domain.com, which of course caused issues.  (I used one of the web
> interfaces they have).
>
> The issues seemed to be that they were using the CSR I generated and
> leaving off the www SAN.  I could do it without a CSR, but then I couldn't
> import it into DCM.
>
> Decided to spend $9 at Namecheap.com and just do it that way.  Same CSR and
> it generated to two proper SANs.
>
> Bradley V. Stone
> www.bvstools.com
> MAILTOOL Benefit #7<https://www.bvstools.com/mailtool.html>: The ability
> to completely bypass the IBM SMTP system all together using MAILTOOL Plus
> or other Addons.