Automation for request/renewal wildcard certs on Nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lyte.sg

I ran this command: No certbot command to automate wildcard cert request from Nginx config

It produced this output: N/A

My web server is (include version):Nginx 1.14.0-0ubuntu1.6

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: DNS - AWS Route53

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I have successfully tested a certbot --nginx setup for a static FQDN test certificate (e.g. static.domain.net). However, when I changed Nginx server block to wildcard style *.domain.net it looks like Certbot does not recognise/support that

> # certbot --nginx
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Plugins selected: Authenticator nginx, Installer nginx
> No names were found in your configuration files. Please enter in your domain
> name(s) (comma and/or space separated) (Enter 'c' to cancel): c
> Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

I’ve look through a number of articles written by different people on the procedure for request wildcard certs from Let’s Encrypt, and they all do so as manual steps to launch certbot certonly + DNS plugin adjustments, then manually re-configuring Ngnix after obtaining the cert.

I guess there’s no combo procedure to auto-detect from Nginx the wildcard domains and interacting with both LE and Route53?

Hi @icelava

that's not possible.

If you use --nginx, the http challenge is used to validate your domain name.

But if you want to create a wildcard certificate (which has nothing to do with a wildcard vHost), then you have to use dns-validation.

So --nginx as authenticator can't be used to validate a wildcard certificate.

Read

Certbot’s Route 53 DNS plugin is available in the python3-certbot-dns-route53 package.

You can combine the Route 53 authenticator and the Nginx installer with “certbot -a dns-route53 -i nginx”.

https://certbot-dns-route53.readthedocs.io/en/stable/

In this case it will indeed not be able to “auto-detect” the domains from the nginx configuration; they would be specified interactively, or via the -d option on the command line. But the method suggested by @mnordhoff is the recommended one if you’re going to use Certbot for this.

My boss eventually did not like the idea of granting the Certbot process management access of entire domain zones, so he opted for delegation to sub-domains with the help of ACME-DNS. We tested it out and it appears to meet our requirements, so we’ve abandoned the Route53 plug-in approach.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.