Automation for request/renewal wildcard certs on Nginx

icelava · August 29, 2019, 10:38am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lyte.sg

I ran this command: No certbot command to automate wildcard cert request from Nginx config

It produced this output: N/A

My web server is (include version):Nginx 1.14.0-0ubuntu1.6

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: DNS - AWS Route53

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I have successfully tested a certbot --nginx setup for a static FQDN test certificate (e.g. static.domain.net). However, when I changed Nginx server block to wildcard style *.domain.net it looks like Certbot does not recognise/support that

> # certbot --nginx
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Plugins selected: Authenticator nginx, Installer nginx
> No names were found in your configuration files. Please enter in your domain
> name(s) (comma and/or space separated) (Enter 'c' to cancel): c
> Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

I’ve look through a number of articles written by different people on the procedure for request wildcard certs from Let’s Encrypt, and they all do so as manual steps to launch certbot certonly + DNS plugin adjustments, then manually re-configuring Ngnix after obtaining the cert.

I guess there’s no combo procedure to auto-detect from Nginx the wildcard domains and interacting with both LE and Route53?

JuergenAuer · August 29, 2019, 1:12pm

Hi @icelava

that's not possible.

If you use --nginx, the http challenge is used to validate your domain name.

But if you want to create a wildcard certificate (which has nothing to do with a wildcard vHost), then you have to use dns-validation.

So --nginx as authenticator can't be used to validate a wildcard certificate.

Read

mnordhoff · August 29, 2019, 1:39pm

Certbot’s Route 53 DNS plugin is available in the python3-certbot-dns-route53 package.

You can combine the Route 53 authenticator and the Nginx installer with “certbot -a dns-route53 -i nginx”.

https://certbot-dns-route53.readthedocs.io/en/stable/

schoen · August 29, 2019, 10:56pm

In this case it will indeed not be able to “auto-detect” the domains from the nginx configuration; they would be specified interactively, or via the -d option on the command line. But the method suggested by @mnordhoff is the recommended one if you’re going to use Certbot for this.

icelava · September 9, 2019, 4:43pm

My boss eventually did not like the idea of granting the Certbot process management access of entire domain zones, so he opted for delegation to sub-domains with the help of ACME-DNS. We tested it out and it appears to meet our requirements, so we’ve abandoned the Route53 plug-in approach.

system · October 9, 2019, 4:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.