Just in case anyone was (like me) wondering how a wildcard certificate would work with multiple levels of subdomains, it turns out that EZproxy has custom support for SSL built-in and automatically converts example.org.ezproxy.example.org to use hyphens in the subdomains: example-org.ezproxy.example.org
Citing an online discussion:
> > One post I read suggested that wildcard certificates were only good for one domain level, here's an excerpt:
> >
> > "Example, if the cert is for *.domain.com then a.domain.com and b.domain.com hosts can use the same cert. but for hosts that have more than one level of subdomain like c.d.domain.com, the cert. will not work and you will get the popup warning"
> >
> > Is this comment accurate?
>
> That comment is true. For this reason, when you use a wildcard certificate on a server named ezproxy.yourlib.org, the wildcard certificate is for *.ezproxy.yourlib.org, EZproxy calls itself login.ezproxy.yourlib.org during secure login, and when you proxy a remote site, the periods of the hostname are changed to hyphens (e.g. www-somedb-com.ezproxy.yourlib.org). This avoids the browser warnings.
Sent from my iPhone
> On Jan 14, 2016, at 10:17 PM, Andrew Anderson <[log in to unmask]> wrote:
>
> Eric,
>
> Check out Startcom’s StartSSL service (https://www.startssl.com), for $120 you have the ability to generate 3-year wildcard certificates with their Organizational Validation level of service.
>
> Andrew
>
> --
> Andrew Anderson, President & CEO, Library and Information Resources Network, Inc.
> http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
>
>> On Jan 14, 2016, at 21:33, Eric Hellman <[log in to unmask]> wrote:
>>
>> I would also go with the $120 3 year wildcard cert for ezproxy. What vendor are you using?
>>> On Jan 14, 2016, at 7:23 PM, Cary Gordon <[log in to unmask]> wrote:
>>>
>>> I love the idea of Let’s Encrypt, but I recently bought a three year wildcard cert subscription for about $120. I would need to fall firmly into the true believer category to go the route you suggest.
>>>
>>> Cary
>>>
>>>> On Jan 14, 2016, at 11:20 AM, Eric Hellman <[log in to unmask]> wrote:
>>>>
>>>> A while back, the issue of needing a wildcard certificate (not supported by Lets Encrypt) for EZProxy was discussed.
>>>>
>>>> In my discussions with publishers about switching to HTTPS, EZProxy compatibility has been the most frequently mentioned stumbling block preventing a complete switch to HTTPS for some HTTPS-ready publishers. In two cases that I know of, a publisher which has been HTTPS-only was asked by a library customer to provide insecure service (oh the horror!) for this reason.
>>>>
>>>> It's been pointed out to me that while Lets Encrypt is not supporting wildcard certificates, up to 100 hostnames can be supported on a single LE certificate. A further limit on certificates issued per week per domain would mean that up to 500 hostnames can be registered with LE in a week.
>>>>
>>>> Are there EZProxy instances out there that need more than 500 hostnames, assuming that all services are switched to HTTPS?
>>>>
>>>> Also, I blogged my experience talking to people about privacy at #ALAMW16.
>>>> http://go-to-hellman.blogspot.com/2016/01/not-using-https-on-your-website-is-like.html <http://go-to-hellman.blogspot.com/2016/01/not-using-https-on-your-website-is-like.html>
>>>>
>>>> Eric
>>>>
>>>>
>>>> Eric Hellman
>>>> President, Free Ebook Foundation
>>>> Founder, Unglue.it https://unglue.it/
>>>> https://go-to-hellman.blogspot.com/
>>>> twitter: @gluejar
>>
|