here is one
i know other sites that do this
Well let's review what we're already stated:
Wildcard certs require DNS authentication.
The wildcard has to be the leftmost entry.
Only one wildcard "*" can be used in any name.
Certs are limited to 100 names.
...
Did I miss anything?
Oh yes!
No name can have more than 7 dots [not 100% sure on that exact number]
1 Like
Off to a bad start but I'll review this when I get back.
TTYL
Alright.
You can add https:// to view the certs
you can try any domain you know and append .cutestat.com, it works
They are not limited to 100 names, i have tested thousands,it works, Thats what i need
Also, I dont intend to have more than 4 dots
3 dots plus my sites .com =4
They have issued 21 certificates covering all (or almost all) top level domains, that is how they are doing it.
You can see the certs they are using here.
2 Likes
wow, how can i accomplish that ,
I tried
certbot certonly -a webroot -w /root -d
"*.example.com,
*.net.example.com,
*.co.uk.example.com,
*.co.example.com"
It returned this 4 times >>
Requesting a certificate for *.example.com and *.com.example.com ...
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
.
Hello @donenam,
As @rg305 explained a few posts above, wildcard certificates can only be validated with the dns challenge and using the plugins available in certbot User Guide — Certbot 2.7.0.dev0 documentation and that should be tricky because I see you are your own DNS provider and the plugin that should fit your conf should be certbot-dns-rfc2136. There are other options and other acme clients that you could use but it could be a bit complicated.
I've never used cpanel so I don't know what are the options to issue certificates out of the box, I also don't know whether it is a good idea to user certbot in that way because as I said i don't know how cpanel would integrate it.
Maybe you could consider to use a plugin for cpanel like FleetSSL (it is or at least it was developed by a community member @_az). This plugin has a cost but maybe is worth if it can issue wildcard certificates on your site without effort.
Cheers,
sahsanu
1 Like
nice, testing it now
Alright, i have installed it and it works for my first wildcard subdomain, *.example.com
but how do i make it work for all possible subdomains, if i should create all the possible wildcard subdomains in this LIST , that means i would create over 1,012 subdomains
Is that the only way out? or is there something easier i could do
As I said, I've no idea how cpanel works so I can't advise you but maybe you should start creating and grouping the domains you want to serve in several VirtualHost (the other site grouped them in 21 packs) and once it is working fine using http, then you should start thinking on requesting wildcard certificates for them.
1 Like
There is no shorter shortcut.
Only one "*" can exist in the name.
And it must be the first thing seen.
"*" will not crossover any "."
If it could have been shorter, they would have taken that path too.
Alright, i guess i have to go through the hard path
I'm guessing that the other site wrote some custom software to help automate the process of requesting these specialized certificates (rather than typing in the commands by hand or pasting from a spreadsheet or something). Even if it's using Certbot or lego or acme.sh, the commands to be run could have been generated by custom software.
Hello, i tried certbot again ,using this
certbot certonly --manual -d ".example.com" -d ".com.example.com" -d "*.dev.example.com"
It created a certificate,
but It asked me to create DNS TXT records thrice,
I have about 1000 subdomains to add to certbot , is there a way to make the DNS challenge once for all my subdomains, thanks
Unfortunately, no.
The best solution is to automate the entire process.
Any guide about that? I havent found any online.
Its been a long day, I managed to create 2 SAN certificates containing 100 subdomains each
But i noticed that if i don't delete the Acme Challenge DNS record that i pasted for each of the 200 subdomains, the exact subdomain wont be reacheable, my browser throws an error, unable to connect or This site can’t be reached....
Question is, during certificate renew after 3months, will that acme challenge TXT record be needed? because i cant type over 1000+ DNS records again
Or will the renewal process be automatic? i am using " certbot certonly --manual "
There is no way to automate a specifically declared --manual process.
You will need to use a DNS service provider that supports API updates.
The TXT records can/should be deleted after they have been used.
Every time you issue a new cert, or renew a cert, (that contains a wildcard) a new TXT record will be required to pass the validation.
This is confusing me:
I don't see how a DNS TXT record can cause such a problem.
@donenam, also, if you don't already know a scripting language, you might want to learn one! It's very helpful and relevant for automating all sorts of tasks.
I know php, but since the whole process is running on CLI, I don't know if its possible
I have deleted the txt records for
https://domain.amica.example.com
I haven't for https://domain.au.example.com
And both of them are in the same SAN certificate
Test the two, even without https the second doesn't work, am confused, since I might need the records during renewal