Re: SSL and reverse proxy and multiple certificates/domains - SUCCESS!

Yep...didn't really have to mess with the vhost instances, just the front end reverse proxy and all I had missed was the SSLServerCert...so simple and yet....

So the way I use LetsEncrypt is I have DCM generate the CSR and then I use a Java based ACME client to generate all the rest of the steps. Then I import the certificate back into DCM.   I have it pretty well scripted, except ofr the import,  and I have some assurance from IBM that an API to generate the CSR and an API to import/renew the certificate will be available soon.  That will allow me to automate the whole process and make renewals a snap.

I can't remember if there was an issue with SAN or not.  The latest 7.2 DCM version does have a place to add them when requesting the CSR.

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 3:30 PM, Bradley Stone wrote:

So, the only place the SSL information is placed is in the proxy instance?
The other instances are just simple without needed anything else? That's a
bonus if that's correct.

BTW, I was working with LetsEncrypt for a customer who needed a short time
SSL cert until they get to V7R3... well, I did the CSR and it didn't give
me a certificate with the subject alternative names as domain.com and
www.domain.com, which of course caused issues. (I used one of the web
interfaces they have).

The issues seemed to be that they were using the CSR I generated and
leaving off the www SAN. I could do it without a CSR, but then I couldn't
import it into DCM.

Decided to spend $9 at Namecheap.com and just do it that way. Same CSR and
it generated to two proper SANs.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #7<https://www.bvstools.com/mailtool.html>: The ability
to completely bypass the IBM SMTP system all together using MAILTOOL Plus
or other Addons.