I want to make a plea too, not to fragment Code4Lib, but rather to consolidate EZProxy knowledge to post these queries to the EZProxy list.
For good, bad or indifferent, OCLC is putting together an EZProxy community wiki and for those EZProxy folks who come after you, who are not C4Lers, I ask that whatever info go there.
(@Jon, kind of looking at you because I worry that EZProxy expertise such as yours will get lost. I know it seems impossible, but one day we may all go on to other work. I for one am looking forward to an exciting second career as a Starbucks barrista; I hear my Master's degree will serve me well there ;-)
John Spoor Broome Library
California State University, Channel Islands
From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Jason Bengtson
Sent: Wednesday, February 17, 2016 10:24 AM
To: [log in to unmask]
Subject: Re: [CODE4LIB] SSL certificates and proxy servers
Yeah, in the latest EZProxy version you can use a multi-domain cert with the wildcard in the SAN. Be sure when you request your cert with the EZProxy CSR you get a multi-domain cert, otherwise it won't matter what you've selected for the SAN.
On Wed, Feb 17, 2016 at 12:17 PM, Gorman, Jon <[log in to unmask]> wrote:
> > Hi Code4Lib,
> > We're looking into applying an SSL certificate to an EZproxy server
> > and
> > sure exactly how a wildcard cert gets handled in that context.
> > Anyone have experience with this?
> > The fuzzy part is that we're not clear how wildcard certificates
> > that
> > subdomain matching (e.g., *.example.org) translate into wild-looking
> > domains (like search.whatever.com.proxy.example.org).
> This depends a lot on the version number of EzProxy.
> The older versions of EzProxy look for a couple of things:
> * proxy-by-hostname needs to be on (sounds like you have that)
> * The wildcard MUST be in the CN, not a SAN. You'll likely want to use
> your login domain in the SN, depending on levels.
> Given those two things, when ezproxy sees that it has a wildcard in
> the CN, it'll change from using periods to hypens.
> I think, although I can't remember for sure, at some point in 6.x this
> was fixed so a wildcard in a CN or SAN will work. I'd definitely
> verify that through testing though.
> A license of ezproxy should let you run a separate test instance on
> another machine. You can verify this by just creating a self-signed
> wildcard cert. You'll get a warning, but you should also see the
> ezproxy behavior change. I find dnsmasq can be helpful as well.
> So you'll want to get a wildcard cert for the one level of subdomain.
> While you're at it, make sure it's a 2048 bit key and SHA-2. I've been
> seeing a lot of people running into problems with old 3 year certs
> that they finally gotten around to putting into place.
> > This might be more of an EZproxy config question and more
> > appropriate to
> > list. There's also documentation
> > <
> > ml>
> > out there. But if anyone can comment on the process, whether the
> > documentation was helpful to you, what sort of wildcard cert you got
> > to address this problem, etc., we'd be interested to hear from you.
> It's asked frequently enough that if I wasn't quite so lazy, I'd make
> it into the top FAQ question. The documentation was ok, but it's
> really not all that complicated.
> Jon Gorman
> Library IT
> University of Illinois
> 217 244-4688