> Hi Code4Lib,
> We're looking into applying an SSL certificate to an EZproxy server and aren't
> sure exactly how a wildcard cert gets handled in that context.
> Anyone have experience with this?
Yup.
> The fuzzy part is that we're not clear how wildcard certificates that handle
> subdomain matching (e.g., *.example.org) translate into wild-looking proxied
> domains (like search.whatever.com.proxy.example.org).
This depends a lot on the version number of EzProxy.
The older versions of EzProxy look for a couple of things:
* proxy-by-hostname needs to be on (sounds like you have that)
* The wildcard MUST be in the CN, not a SAN. You'll likely want to use your login domain in the SN, depending on levels.
Given those two things, when ezproxy sees that it has a wildcard in the CN, it'll change from using periods to hypens.
I think, although I can't remember for sure, at some point in 6.x this was fixed so a wildcard in a CN or SAN will work. I'd definitely verify that through testing though.
A license of ezproxy should let you run a separate test instance on another machine. You can verify this by just creating a self-signed wildcard cert. You'll get a warning, but you should also see the ezproxy behavior change. I find dnsmasq can be helpful as well.
So you'll want to get a wildcard cert for the one level of subdomain. While you're at it, make sure it's a 2048 bit key and SHA-2. I've been seeing a lot of people running into problems with old 3 year certs that they finally gotten around to putting into place.
> This might be more of an EZproxy config question and more appropriate to that
> list. There's also documentation
> <https://www.oclc.org/support/services/ezproxy/documentation/cfg/ssl.en.ht
> ml>
> out there. But if anyone can comment on the process, whether the
> documentation was helpful to you, what sort of wildcard cert you got to
> address this problem, etc., we'd be interested to hear from you.
It's asked frequently enough that if I wasn't quite so lazy, I'd make it into the top FAQ question. The documentation was ok, but it's really not all that complicated.
Jon Gorman
Library IT
University of Illinois
217 244-4688
|