On Sun, 20 Jun 2021 at 14:26, mick mbm@rlogin.net wrote:
[ Biggus Snippus of extremely useful info, thank you]
My point in going over this is that you /could/ do something similar if you do not really need to use wildcards in your certificates.
It is certainly the wildcard issue that is the key, and I am now wondering how important it is to me.
The reason I have it is that I have a multi-site Wordpress. Each site is notionally <sitename>.<myhostname>, although most also then have their own domains on top. Using wildcards is easier than having to add each new <sitename> to the configuration, but actually that happens fairly infrequently compared with the 3mo SSL cert renewal I have to do manually now due to the wildcard.
That said, as there is a mechanism for auto-renewal via DNS using a select list of hosts with APIs, and (it seems) a way to do that via CNAMEs rather that moving the DNS of the domain itself, I would prefer to get that working. But I can't for the life of me work out how it's supposed to hang together!
Thanks for the info though, I think I need to sit down and think about how I'm doing SSL in general.