Join Log in
Score:0
avatar Server

Remove domain from hostname while using domain wildcard certificate

ro flag
Victor

I am setting up a small network with several servers such as vaultwarden, jenkins and gitlab.

I want to use https with a CA signed certificate. To do so, I have purchased a domain (let's say foobar.com) and have already obtained a wildcard certificate for *.hq.foobar.com.

When I access https://vaultwarden.hq.foobar.com/ I have no complains from my browser, and the certificate is valid.

Unsurprisingly, if I access https://vaultwarden/ the browser warns about potential security risk, since the certificate issued is only valid for domains in *.hq.foobar.com.

My question is, is there any way to avoid having such long names (gitlab.hq.foobar.com, jenkins.hq.foobar.com...) for all the services in my network while keeping a publicly trusted certificate?

I would like to avoid using self signed certificates, or creating a private CA and having to trust any of those in all the computers in my network.

How do companies manage this? Everywhere I worked before had self signed certificates, which doesn't seem to secure to me, but it was convenient.

27
0 + 0
Ryan Bolger avatar
tz flag
Ryan Bolger
I'd try to get used to using fully qualified domain names (FQDNs) everywhere. Short names just cause confusion and ambiguity. Most of the tools you use like web browsers have features to make using FQDNs less painful. Not only are there bookmarks and shortcuts, but most browsers keep track of where you've been such that anything you visit often will usually auto-complete in the address bar after typing a few characters.
0
Reply
ro flag
Victor
That's what I expected. Yeah once you've visited the host once, it's easy to visit again. I was just more worried about long links in documentation and such, but I guess it's something I have to learn to live with.
0
Reply
Score:2
avatar Server
cn flag
Crypt32

My question is, is there any way to avoid having such long names (gitlab.hq.foobar.com, jenkins.hq.foobar.com...) for all the services in my network while keeping a publicly trusted certificate?

no. NetBIOS (hostnames only) are not allowed in Internet PKI. Every certificate is issued against a hostname (or all host in the case of wildcard) in specified domain. And you have to prove the ownership of the domain.

In your case, https://vaultwarden/ is treated as single-label vaultwarden domain, not a host name. Single-label domains are not allowed too and you cannot prove its ownership, nor you can buy it. This means that you cannot do this with certificate obtained from globally trusted CA.

Instead of using self-signed certificates, it can be convenient to use private CA which is trusted only within the environment you manage.

0 + 0
ro flag
Victor
Thanks, it's what I had guessed but wanted some confirmation. I'll try to get everyone used to FQDN, and if not, we'll go the private CA route. Thanks.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.