Wildcard cert? Or individual subdomain certs?

Currently reading
Wildcard cert? Or individual subdomain certs?

Telos

Telos

Subscriber
2,544
823
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
What are the drawbacks of using wildcard certs?

Obviously setting up a new subdomain which uses an existing wildcard cert, is a few clicks easier, and cert renewal across multiple subdomains is simpler with a wildcard cert.

Are there security issues involved with using an LE wildcard cert, as opposed to managing individual subdomain certs?
 
fredbert

fredbert

Moderator
NAS Support
Subscriber
3,799
1,506
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
An interesting question. I'm wondering how would something malicious benefit from successfully spinning up a virtual host vs would this be worse than just infecting an existing web service's files?

From a client point of view then I guess there is probably more trust that this particular service is the right one if it isn't using a wildcard.
 
Telos

Telos

Subscriber
2,544
823
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
Last edited:
I've been using a wildcard cert, primarily on the basis of "oh, isn't that easy", but I've not seen much that addresses its drawbacks... hence the question.

This got me thinking...

And since it is relatively simple to request LE certs for subdomains, I want to take the right path from a security standpoint.
 
fredbert

fredbert

Moderator
NAS Support
Subscriber
3,799
1,506
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If you read this and the linked report there are examples for why using wildcard certs can be a risk.
www.nsa.gov

Avoid Dangers of Wildcard TLS Certificates, the ALPACA Technique

NSA released the Cybersecurity Information Sheet, “Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique” today, warning network administrators about the risks of using poorly scoped
www.nsa.gov

For an organisation that has a complex and diverse IT/OT deployment then managing domains and certificates will be an important part of administration. But in a home setup: how complex will it be; what is the reward for compromising the certificate vs just doing a ransomware of data?

Maybe in situations where you are running many secured services [on your NAS] then there is a heightened risk that a service implementation is weak and that could further compromise other services. Whether this means an attack target would be via a shared wildcard certificate, instead of just going around the underlying OS and to other services and data.

Anyway, I use multiple LE certs that have a few alternative names ... because I'm too lazy to manually setup a way to do wildcard cards and manually manage their distribution.
 
Telos

Telos

Subscriber
2,544
823
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
Last edited:
Largely my subdomains connect to my NAS' reverse proxy, and then onto a docker container, or other networked device (for example, NAS1, NAS2, NAS3...). In that scenario, all certs, whether wildcard, or individual subdomains, would reside on the primary NAS1 on which the reverse proxy is operating, limiting (?) my security risk to NAS1 ("all eggs in one basket").

Simplistically, I'm unsure whether individual subdomain certs offer added security, when they are all on the same machine.

I'm probably missing something basic with that philosophy...

Relatedly... since Cloudflare assumed management of my wildcard cert, there seems to be no way to prevent the renewal of the wildcard... short of closing my account. What a puzzle.
 
Rusty

Rusty

Moderator
NAS Support
5,606
1,647
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
fredbert said:
For an organisation that has a complex and diverse IT/OT deployment then managing domains and certificates will be an important part of administration. But in a home setup: how complex will it be; what is the reward for compromising the certificate vs just doing a ransomware of data?

Maybe in situations where you are running many secured services [on your NAS] then there is a heightened risk that a service implementation is weak and that could further compromise other services. Whether this means an attack target would be via a shared wildcard certificate, instead of just going around the underlying OS and to other services and data.
Click to expand...

Personally I would agree with this statement. Coming from a large corporation where using a wild card cert is a huge no (from a security standpoint) we always use dedicated certs per service. Reason is that the they want to minimize the risk by not allowing a cert to compromised that will then effect multiple services all at once.

For a soho setup, and especially every xy months I would still use a wild cert then to tackle 20-30 individual certs for all the services. Security vs convenience I guess.
 
Telos

Telos

Subscriber
2,544
823
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
Rusty said:
For a soho setup, and especially every xy months I would still use a wild cert then to tackle 20-30 individual certs for all the services
Click to expand...

Thanks. For now, I'm staying with the wildcard cert. But I'm giving up on using npm to acquire it. Yesterday I discovered how simple certbot is (and discovered that the wildcard also covers the base domain), using...

sudo certbot --manual --preferred-challenge dns certonly -d *.mydomain.com

Now I need to sort out how to automate this to land the certs in the proper location, and to set a renewal. :)
 
jeyare

jeyare

Subscriber
2,439
813
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
wildcard cert always,
just use the Search tool on this forum regarding LE cert issues, and you will get 1000 reasons for the wildcard cert usage.

“nothing is for free”
or
“anything free is worth what you pay for it”
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

Telos
Question LE Cert | Synology DDNS Wildcard
Okeedokee... I guess it's off to explore Google Domains...
Replies
6
Views
1,894
Telos
Telos
akahan
How to Renew Wildcard Non-synology LetsEncrypt Certs?
EDIT: Ok, not sure why. But after destroying the LE docker container and re-created it using a MACVLAN IP...
Replies
8
Views
4,633
Shadow
Shadow
Telos
  • Question
LE Cert renewal failures
Methinks I've found an issue with the DDNS. Still can't explain the odd error with the Synology wildcard...
Replies
6
Views
1,080
Telos
Telos
vivian
  • Question
Your connection isn't private - LE Cert is Valid?
When you login to the NAS and experience this issue of the certificate, check what is reported as the...
Replies
13
Views
1,111
WST16
WST16
M
LE cert error via webdav, https is fine
i use the built-in function in DSM to get the certificate. There was nothing more to do and everything...
Replies
11
Views
830
makon
M
Telos
Question Synology DDNS wild card cert w/LE
Wildcard domains require DNS verification. Synology have no control over other people's DNS records hence...
2
Replies
23
Views
2,737
rtfmoz
R

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Top