--- /dev/null
+Some providers like to have multiple prefix before it's domain. This is
+problem for Let's Encrypt certificates because we can have just 100 names
+in each certificate, so alternative solution is needed.
+
+This is guide how to configure Let's Encrypt wildcard certificate and
+rewrite every host under it.
+
+
+Install DNS plugin for certbot
+
+# part of stretch backports or buster
+
+dpavlin@mjesec:/srv/via-proxy$ sudo apt install python3-certbot-dns-rfc2136
+
+
+mjesec:/etc/bind# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST p2.vbz.ffzg.hr
+Kp2.vbz.ffzg.hr.+165+16105
+
+mjesec:/etc/bind# tail -5 named.conf.options
+
+key "p2.vbz.ffzg.hr" {
+ algorithm hmac-sha512;
+ secret "Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8n yVkJWpswoyntgJd7YXcsXKZgzKVbpw==";
+}
+
+
+Allow creation of txt records:
+
+diff --git a/bind/named.conf.local b/bind/named.conf.local
+index acc4997..fbc101b 100644
+--- a/bind/named.conf.local
++++ b/bind/named.conf.local
+@@ -41,6 +41,9 @@ zone "knjiznica.ffzg.hr" {
+ zone "vbz.ffzg.hr" {
+ type master;
+ file "/etc/bind/vbz.ffzg.hr.db";
++ update-policy {
++ grant p2.vbz.ffzg.hr zonesub txt;
++ };
+ };
+
+
+Request certificate with dns auth:
+
+mjesec:/etc/letsencrypt# cat credentials.ini
+dns_rfc2136_server = 127.0.0.1
+dns_rfc2136_name = p2.vbz.ffzg.hr
+dns_rfc2136_secret = Wtr3f3kvFRNdGmVVd0JdPlvelbD/ccxin+AqzvEp/mtKJg7SoXjN6Y8nyVkJWpswoyntgJd7YXcsXKZgzKVbpw==
+dns_rfc2136_algorithm = HMAC-SHA512
+
+
+dpavlin@mjesec:/srv/via-proxy$ sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/credentials --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136-propagation-seconds 5 -d 'p2.vbz.ffzg.hr' -d '*.p2.vbz.ffzg.hr' -d '*.bmj.com.p2.vbz.ffzg.hr'
+
+
--- /dev/null
+# see certbot-wildcard.txt to see how is this configured
+
+<VirtualHost *:443>
+ Include /srv/via-proxy/ssl.conf
+
+ SSLCertificateFile /etc/letsencrypt/live/p2.vbz.ffzg.hr/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/p2.vbz.ffzg.hr/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/p2.vbz.ffzg.hr/chain.pem
+
+ ServerName www.bmj.com.p2.vbz.ffzg.hr
+ ServerAlias *.bmj.com.p2.vbz.ffzg.hr
+
+ RewriteEngine on
+ # fix broken chunging
+ #RewriteRule /common/javascript/extjs/ext-all.js https://www.bmj.com/common/javascript/extjs/ext-all.js [R,L]
+
+ SSLProxyEngine on
+ ProxyAddHeaders Off
+
+ <Proxy https://*.bmj.com/*>
+ Order Deny,Allow
+ Allow from all
+ </Proxy>
+
+ RewriteCond %{HTTP_HOST} ^(.+bmj.com)
+ RewriteRule ^/(.*)$ https://%1/$1 [P]
+
+# ProxyPass / https://www.bmj.com/
+# ProxyPassReverse / https://www.bmj.com/
+
+ Header edit* Set-Cookie "(.*)(?i:; *domain=)([^;]+)(.*)" "$1 ; domain=$2.p2.vbz.ffzg.hr $3"
+ #Header edit* Set-Cookie "(.*)(?i:; *secure)" "$1"
+ Header edit* Location "https://([a-z]+).bmj.com" "https://$1.bmj.com.p2.vbz.ffzg.hr"
+
+ RequestHeader unset Accept-Encoding
+ # we don't use https:// here because some urls are in javascript with escaped http:\/\/
+ Substitute "s|(\w+)\.bmj\.com|$1.bmj.com.p2.vbz.ffzg.hr|i"
+
+ FilterDeclare NEWPATHS
+ FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^text/html|"
+ FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^text/css|"
+ FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^text/javascript|"
+ FilterProvider NEWPATHS SUBSTITUTE "%{Content_Type} =~ m|^application/javascript|"
+ FilterChain NEWPATHS
+
+ CustomLog /var/log/apache2/access-p2.vbz.ffzg.hr.log vhost_combined
+</VirtualHost>
+