I'm setting up a multi-user JupyterHub server. I've implemented the subdomain mechanism recommended in the JupyterHub documentation. A user types in the login URL for the server in their web browser, e.g., https://notebook.example.com, and when they login JupyterHub creates a subdomain for them, e.g., https://username.notebook.example.com.
I've got the wildcard DNS working just fine. The issue is that this setup seems to require multiple SSL certificates. My certificate authority was kind enough to give me certificates for both notebook.example.com and the wildcard certificate *.notebook.example.com. If I have this configuration for the notebook.example.com certificate:
c.JupyterHub.ssl_cert = '/etc/pki/tls/certs/notebook.example.com.cer'
then the user's browser will accept the certificate for the login URL, but will give an unrecognized certificate message when the user is forwarded to the user's subdomain URL. If I use the other certificate, e.g.
c.JupyterHub.ssl_cert = '/etc/pki/tls/certs/wildcard.notebook.example.com.cer'
then the user's browser will complain that "notebook.example.com" doesn't match *.notebook.example.com in the certificate, but will accept the certificate when the user is forwarded to their subdomain.
Obviously I could tell the users to agree to a certificate exception in one case or the other, but this might create long-term support problems (I have to instruct them how to accept the unrecognized certificate for all the different browsers; they might get into the habit of blindly accepting certificates).
Is there a way of configuring JupyterHub to use one certificate for the initial login and a different one for subdomains?
I think I've found a solution on my own. I sent a CSR request to my authority for a Multiple Domain Certificate, one that included both notebook.example.com and *.notebook.example.com. I followed the directions here to create the CSR: http://apetec.com/support/generatesan-csr.htm
To my surprise, they accepted the request for a multiple domain certificate with a wildcard host name. I'm still testing, but it looks like it works with both the login URL and the subdomain URL of Jupyterhub with no problem.