Acme.sh supports ACME v2 wildcard now

Install the latest branch here:

lets try wildcard:

Just use a wildcard domain as a normal domain:

acme.sh --test   --issue  -d www.acme.sh   -d acme.sh    -d  *.acme.sh    --dns  dns_cf

take care of the third -d *.acme.sh parameter above. It's simple, right ?

Limitation:

1. A wildcard domain can not be used for the first -d parameter. Support one wildcard domain only in a cert · Issue #1188 · acmesh-official/acme.sh · GitHub
2. wildcard domain can only use dns validation methods.

acme.sh  --test   --issue \
 -d www.acme.sh \
-d acme.sh \
-d *.acme.sh  \
-d sub.acme.sh  \
-d *.sub.acme.sh \
-d sub2.acme.sh \
-d *.sub2.acme.sh  \
--dns dns_cf 

a410×514 6.84 KB

NOTE: ACMEv2 and wildcard support is in beta, so you must use --test and only test certificates that are not trusted by browsers will be issued. To learn more about the general availability of ACMEv2 and wildcard certificates, follow this thread.

so you can’t just use *.domain.com like normal ssl certs ? that a limitation within acme.sh or requirement from letsencrypt side ?

It’s just a limitation of acme.sh, not letsencrypt.

it must contain both domain.com and *.domain.com at least.

any plans to eventually make *.domain.com only ?

also is --staging and --test tied to ACME v2 endpoint ? i am not seeing ACME v2 endpoint being used when i use for non-wildcard domain issuance

/root/.acme.sh/acme.sh --staging --issue -d domain.com

[Sat Jan  6 10:18:52 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sat Jan  6 10:18:52 UTC 2018] Creating domain key

ACME_VERSION is being set to 2

grep -rn ACME_VERSION= /root/.acme.sh/
/root/.acme.sh/acme.sh:2223:          export ACME_VERSION=2
/root/.acme.sh/acme.sh:5503:              export ACME_VERSION=2

so should default to ACME v2 endpoint according to code at https://github.com/Neilpang/acme.sh/commit/6ae3911972d6c67e4170cc90e941e733e21429fd#diff-e0ccd570d61541321b7e6e0ee4265daeR2282

git branch             
* 2

git log -1
commit 6ae3911972d6c67e4170cc90e941e733e21429fd
Author: neilpang <snipped>
Date:   Sat Jan 6 17:39:15 2018 +0800

    support ACME v2 wildcard cert

or is ACME v2 endpoint only being triggered for wildcard ssl cert issuances ?

any plans to eventually make *.domain.com only ?

Not yet, but that's not a big problem. It's just a limitation of acme.sh commandline usage.

is ACME v2 endpoint only being triggered for wildcard ssl cert issuances

Yes, we use ACME v1 be default. ACME v2 will be used automatically if a wildcard domain is found.

But you can force to use ACME v2, by using the --server parameter.

thanks @Neilpang for the clarification

working fine for non-wildcard when setting --server specifically

cat /root/centminlogs/acmetool.sh-debug-log-060118-103550.log
[Sat Jan  6 10:37:05 UTC 2018] Lets find script dir.
[Sat Jan  6 10:37:05 UTC 2018] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Jan  6 10:37:05 UTC 2018] _script='/root/.acme.sh/acme.sh'
[Sat Jan  6 10:37:05 UTC 2018] _script_home='/root/.acme.sh'
[Sat Jan  6 10:37:05 UTC 2018] Using config home:/root/.acme.sh
[Sat Jan  6 10:37:05 UTC 2018] LE_WORKING_DIR='/root/.acme.sh'
[Sat Jan  6 10:37:05 UTC 2018] Using config home:/root/.acme.sh
[Sat Jan  6 10:37:05 UTC 2018] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Sat Jan  6 10:37:05 UTC 2018] _ACME_SERVER_HOST='acme-staging-v02.api.letsencrypt.org'

now to test wildcard certs

Just tested it and it works great:

root@manager ~ # adduser acme2
Adding user `acme2' ...
Adding new group `acme2' (1006) ...
Adding new user `acme2' (1006) with group `acme2' ...
Creating home directory `/home/acme2' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for acme2
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
root@manager ~ # su acme2
bash: alias: -wSc: not found
acme2@manager:/root$ cd /home/acme2/
acme2@manager:~$ git clone https://github.com/Neilpang/acme.sh.git
Cloning into 'acme.sh'...
remote: Counting objects: 5355, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 5355 (delta 4), reused 6 (delta 2), pack-reused 5343
Receiving objects: 100% (5355/5355), 1.99 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2893/2893), done.
acme2@manager:~$ cd acme.sh/
acme2@manager:~/acme.sh$ git checkout 2 
Branch 2 set up to track remote branch 2 from origin.
Switched to a new branch '2' 
acme2@manager:~/acme.sh$ ./acme.sh --install 
[Sat Jan6 11:56:33 CET 2018] Installing to /home/acme2/.acme.sh
[Sat Jan6 11:56:33 CET 2018] Installed to /home/acme2/.acme.sh/acme.sh 
[Sat Jan6 11:56:33 CET 2018] Installing alias to '/home/acme2/.bashrc' 
[Sat Jan6 11:56:33 CET 2018] OK, Close and reopen your terminal to start using acme.sh 
[Sat Jan6 11:56:33 CET 2018] Installing cron job 
no crontab for acme2 
no crontab for acme2 
[Sat Jan6 11:56:33 CET 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jan6 11:56:34 CET 2018] OK
acme2@manager:~/acme.sh$ exit
exit 
root@manager ~ # su acme2
acme2@manager:/root$ cd /home/acme2/
acme2@manager:~$ which acme.sh 
acme2@manager:~$ 
acme2@manager:~$ export ISPC_User="xxx"
acme2@manager:~$ export ISPC_Password="xxx"
acme2@manager:~$ export ISPC_Api="https://manager.roleplayer.org:8080/remote/json.php"
acme2@manager:~$ export ISPC_Api_Insecure="0"
acme2@manager:~$ acme.sh --test --issue -d roleplayer.org -d *.roleplayer.org --dns dns_ispconfig
[Sat Jan6 12:03:50 CET 2018] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Jan6 12:03:51 CET 2018] Registering account 
[Sat Jan6 12:03:52 CET 2018] Registered
[Sat Jan6 12:03:52 CET 2018] ACCOUNT_THUMBPRINT='xxx'
[Sat Jan6 12:03:52 CET 2018] Creating domain key 
[Sat Jan6 12:03:52 CET 2018] The domain key is here: /home/acme2/.acme.sh/roleplayer.org/roleplayer.org.key
[Sat Jan6 12:03:52 CET 2018] Multi domain='DNS:roleplayer.org,DNS:*.roleplayer.org'
[Sat Jan6 12:03:52 CET 2018] Getting domain auth token for each domain 
[Sat Jan6 12:03:53 CET 2018] Getting webroot for domain='roleplayer.org' 
[Sat Jan6 12:03:53 CET 2018] Getting webroot for domain='*.roleplayer.org' 
[Sat Jan6 12:03:53 CET 2018] Found domain api file: /home/acme2/.acme.sh/dnsapi/dns_ispconfig.sh 
[Sat Jan6 12:03:53 CET 2018] Getting Session ID
[Sat Jan6 12:03:53 CET 2018] Retrieved Session ID. 
[Sat Jan6 12:03:53 CET 2018] Getting Zoneinfo
[Sat Jan6 12:03:53 CET 2018] Retrieved zone data.
[Sat Jan6 12:03:54 CET 2018] Retrieved Server ID 
[Sat Jan6 12:03:54 CET 2018] Retrieved Zone ID 
[Sat Jan6 12:03:54 CET 2018] Retrieved Client ID.
[Sat Jan6 12:03:54 CET 2018] Added ACME Challenge TXT record to zone.
[Sat Jan6 12:03:54 CET 2018] Found domain api file: /home/acme2/.acme.sh/dnsapi/dns_ispconfig.sh 
[Sat Jan6 12:03:54 CET 2018] Getting Session ID
[Sat Jan6 12:03:54 CET 2018] Retrieved Session ID. 
[Sat Jan6 12:03:54 CET 2018] Getting Zoneinfo
[Sat Jan6 12:03:54 CET 2018] Retrieved zone data.
[Sat Jan6 12:03:54 CET 2018] Retrieved Server ID 
[Sat Jan6 12:03:54 CET 2018] Retrieved Zone ID 
[Sat Jan6 12:03:54 CET 2018] Retrieved Client ID.
[Sat Jan6 12:03:54 CET 2018] Added ACME Challenge TXT record to zone.
[Sat Jan6 12:03:54 CET 2018] Sleep 120 seconds for the txt records to take effect
[Sat Jan6 12:05:55 CET 2018] Verifying:roleplayer.org
[Sat Jan6 12:05:58 CET 2018] Success 
[Sat Jan6 12:05:58 CET 2018] Verifying:*.roleplayer.org
[Sat Jan6 12:06:01 CET 2018] Success 
[Sat Jan6 12:06:01 CET 2018] Getting Session ID
[Sat Jan6 12:06:01 CET 2018] Retrieved Session ID. 
[Sat Jan6 12:06:01 CET 2018] Retrieved Record ID.
[Sat Jan6 12:06:01 CET 2018] Removed ACME Challenge TXT record from zone.
[Sat Jan6 12:06:01 CET 2018] Getting Session ID
[Sat Jan6 12:06:01 CET 2018] Retrieved Session ID. 
[Sat Jan6 12:06:01 CET 2018] Retrieved Record ID.
[Sat Jan6 12:06:01 CET 2018] Removed ACME Challenge TXT record from zone.
[Sat Jan6 12:06:01 CET 2018] Verify finished, start to sign. 
[Sat Jan6 12:06:02 CET 2018] Cert success. 
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
[Sat Jan6 12:06:02 CET 2018] Your cert is in/home/acme2/.acme.sh/roleplayer.org/roleplayer.org.cer
[Sat Jan6 12:06:02 CET 2018] Your cert key is in/home/acme2/.acme.sh/roleplayer.org/roleplayer.org.key 
acme2@manager:~$ openssl x509 -text -noout -in .acme.sh/roleplayer.org/roleplayer.org.cer | grep DNS
                DNS:*.roleplayer.org, DNS:roleplayer.org
acme2@manager:~$

Update: The answer is that I omitted git checkout 2 step.

I’m using Windows bash and a .lol domain. Maybe Windows is the problem?

acme.sh --test --issue -d www.example.com -d example.com -d *.example.com --dns

Getting new-authz for domain=’*.example.com’

new-authz error: {“type”:“urn:acme:error:malformed”,“detail”:“Error creating new authz :: Invalid character in DNS name”,“status”: 400}

maybe add an alias or other command for issue-wildcard

acme.sh --test --issue-wildcard \
-d acme.sh \
--dns dns_cf 

so when issue-wildcard is used it automatically takes the acme.sh defined and expands it to

-d acme.sh -d *.acme.sh

or use that initial -d acme.sh only for your command line to make it work and automatically just use *.acme.sh in common name for ssl cert itself when issue-wildcard is used

Hi! Now it works only --test mode?
Without --test : Can not init api

You want *.example.com only in the cert ? right ?

I just want to know your real use case, why not have two domains: example.com and *.example.com in the cert ?

Thanks.

@Neilpang Great news! Thank you for adding support I put out a PR to add acme.sh to the supported V2 clients section of the client list. Thanks,

I just want to know your real use case, why not have two domains: example.com and *.example.com in the cert ?

@Neilpang Because if they are not on the same host, having a certificate valid for example.com and *.example.com on both host is can lead to security problems:

• It goes against the principle of least privilege Principle of least privilege - Wikipedia
• It may lead to virtual host confusion attacks http://bh.ht.vc/vhost_confusion.pdf

(his reason can be different of course)

same as bond84, I get “Can not init api” if I leave off --test.

acme2@8700K-480GB:~/.acme.sh/example.com$ acme.sh --issue -d example.com -d *.example.com --dns --force --debug
[Mon Jan 8 21:48:15 STD 2018] Lets find script dir.
[Mon Jan 8 21:48:15 STD 2018] SCRIPT=’/home/acme2/.acme.sh/acme.sh’
[Mon Jan 8 21:48:15 STD 2018] _script=’/home/acme2/.acme.sh/acme.sh’
[Mon Jan 8 21:48:15 STD 2018] _script_home=’/home/acme2/.acme.sh’
[Mon Jan 8 21:48:15 STD 2018] Using config home:/home/acme2/.acme.sh
https://github.com/Neilpang/acme.sh
v2.7.6
[Mon Jan 8 21:48:15 STD 2018] Using config home:/home/acme2/.acme.sh
[Mon Jan 8 21:48:15 STD 2018] DOMAIN_PATH=’/home/acme2/.acme.sh/example.com’
[Mon Jan 8 21:48:15 STD 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/director
y
[Mon Jan 8 21:48:15 STD 2018] _init api for server: https://acme-v02.api.letsencrypt.org/director
y
[Mon Jan 8 21:48:15 STD 2018] GET
[Mon Jan 8 21:48:15 STD 2018] url=‘https://acme-v02.api.letsencrypt.org/directory’
[Mon Jan 8 21:48:15 STD 2018] timeout=
[Mon Jan 8 21:48:15 STD 2018] _CURL='curl -L --silent --dump-header /home/acme2/.acme.sh/http.hea
der '
[Mon Jan 8 21:48:15 STD 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html
for error code: 6
[Mon Jan 8 21:48:15 STD 2018] ret=‘6’
[Mon Jan 8 21:48:15 STD 2018] Can not init api.

Yup just *.example.com in cert in keeping size of ssl cert to minimum and traditionally that’s what wildcard ssl certs have done. So I definitely won’t be the last person to ask about it or request it. You can certainly keep it the way you have it, but you’ll be nagged about it over time anyway

You can't issue live web trusted wildcard ssl certs yet.. only test untrusted are available for public ACME v2 API testing right now.

Why am I getting instructions to create TXT records when they’re already in DNS (verified by global propagation checker)? Is it correct that I needed to create two TXT records with the same domain (_acme-challenge.example.com)?

acme.sh --test --issue -d example.com -d *.example.com --dns --force

[Mon Jan 8 22:42:34 STD 2018] Add the following TXT record:
[Mon Jan 8 22:42:34 STD 2018] Domain: ‘_acme-challenge.example.com’
[Mon Jan 8 22:42:34 STD 2018] TXT value: ‘…hash…’
[Mon Jan 8 22:42:34 STD 2018] Please be aware that you prepend _acme-challenge. before
n
[Mon Jan 8 22:42:34 STD 2018] so the resulting subdomain will be: _acme-challenge.example.com
[Mon Jan 8 22:42:34 STD 2018] Add the following TXT record:
[Mon Jan 8 22:42:34 STD 2018] Domain: ‘_acme-challenge.example.com’
[Mon Jan 8 22:42:34 STD 2018] TXT value: ‘…hash…’
[Mon Jan 8 22:42:34 STD 2018] Please be aware that you prepend _acme-challenge. before
n
[Mon Jan 8 22:42:34 STD 2018] so the resulting subdomain will be: _acme-challenge.example.com
[Mon Jan 8 22:42:34 STD 2018] Please add the TXT records to the domains, and retry again.
[Mon Jan 8 22:42:34 STD 2018] Please add ‘–debug’ or ‘–log’ to check more details.

You would be better served by creating a separate help topic with this post, as it’s not client dev related. There will also be a list of questions that help the community assist you when you create a thread under the Help topic.

I’m just a beginner at acme.sh but my dev instincts are saying there’s at least one bug, issues with error messages, issues with documentation. all wrapped up in this one post. When I get an answer, I’ll know if this was the right place to post or whether I should have posted in help. Right now I think this is the right place.