ACMEv2 and Wildcard Launch Delay


Advising customers and making promises to them about solutions that are reliant on a third party provider, which is outside of your control, sounds like poor management to me.

Making assumptions is what has got you to the point that you don’t have any answers. I would rather the wildcard certificates are delivered to a high quality instead of shipping them to us with lots of problems that could damage their reputation, as well as some of the sites the certificates will be protecting.


Almost everyone of us uses third party “provider”. And its not making promising, advising them that something is going to available soon based on the providers notes and published timeline.

Its all about communication. But may be something which you will not understand. We never made any assumptions. Or may be we did by assuming that they will gonna follow their own published timeline,

Anyway I don’t want to get in any argument with you on this. We all are professionals here.

Lets Encrypt is great and it will remain so. This is a Lets Encrypt community and something concerned us and we raised our point.

FYI, I know what my options are if Lets Encrypt is unable to provide wildcards certs for now.


Well, please forget about my last comment:) I really do not mean any rush to LE

But I agree with other folks: please communicate community more clearly

There is nothing worse than bad communication which directly leads to lack of trust

I can even suggest LE to ask help from community in releasing so appropriated feature if this is technically possible, of course :slight_smile:

Ps. I do love LE and I want to invest in LE, the last thing I want is to invest into commercial certificates because of lack of trust and transparency


Got to be right of course but the sooner the better. Thanks for the effort!


Will ACMEv2 and wildcard be available before April 4, or will I need to renew my existing non-wildcard certificates at least one more time?


There’s still a fair degree of activity on the ACME mailing list. I’m no one of influence, but if I were a betting man I’d anticipate another non-wildcard renewal.


Trust is definitely more important than hitting deadlines.
As long as the issuance is waterproof and fool-proof we are happy.
Way to go Let’s Encrypt


I’ve been waiting for a long time for wildcard certificates to happen, so I’m in high anticipation. A few more days/weeks of waiting wouldn’t change anything for me. I’m extremely excited that LetsEncrypt has gotten as far as it has. When it started, I was merely hopeful that it would have the means to continue operation, since otherwise SSL looked to be an impossibility for me, without self-generating certificates and putting the CA cert across organization computers. I’m glad that it has transformed into the service it has today. I remember the day that it came out, and setting my personal domain to HTTPS and finding the little green lock when I opened my browser was a gratifying achievement. :slight_smile:

I’ve been particularly excited for wildcard certificates, because now I can spin up small subdomains for quick one-off CS projects and not have to worry about the HTTPS server not having the certificate for the domain, and having to have everyone in the project approve the “invalid” certificates in their browsers. Woo!


I notice that is resolving, responding, and serving up valid certificates… just waiting for the official announcement now. :smiley:


You can get production certs from the acme-v02 endpoint right now, but wildcards are not yet enabled.

Error creating new order: acme: error code 400 “urn:ietf:params:acme:error:malformed”: Error creating new order :: Wildcard names not supported


Even the API certificate itself has the same encoding problem that causes the delays.


Yeah, makes sense given 2018.03.12 Wildcard Certificate Encoding Issue. For myself, I’m more interested just in the ACMEv2 endpoint since the client I wrote doesn’t do dns validation (or ACMEv1). I wrote it on Feb. 21st, so it felt silly to support an already obsolete protocol.

On the other hand, I don’t want to commit changes using the production endpoint until there’s an announcement, so tonight I dream of an announcement of a non-wildcard v2 announcement in the morning. :slight_smile:


@schoen @josh Did you see it? It there any other impacted certificates? Will it be revoked? As it’s not under your root, did that CA is aware?,x509lint

* certificate may be revoked soon

honestly that is FAR from a good Idea. if that API goes weird and issues stuff that shouldnt have been issued and they have rolled out a Beta API to the trusted chain on purpose they might as well close the CA.

although others do charge a lot this is basically with no technical reason, the validity of the request and ownership/control of the domain still has to be checked, and they iirc still go through automatically, so no extra effort or whatever, just maybe some insurances that wont help anyway.



The ACMEv2 and wildcard support has launched today. See


Wildcard is here! See this for details:


A post was split to a new topic: OSX Homebrew: Certbot 0.22.0 availability?


awesome. this is seriously great.


Huzzah! :slight_smile:

Net::ACME2’s Let’s Encrypt module has been updated to use the new endpoint.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.