Greetings. I'm running nginx with certbot just fine. Now I want a certificate for a subdomain that contains a wildcard. I can serve the zone on port 80 just fine. Now I want a cert.
I understand that sudo certbot run --nginx _something.domain.example fails because Let's Encrypt won't write out certs for names that include underscores. I was hoping that sudo certbot run --nginx *.domain.example would give me a cert that I could use, but it fails. From the error response, I think certbot is looking in my nginx sites-enabled, sees _something.domain.example, and stops, saying that _something.domain.example contains an invalid character.
Is there a way to get a wildcard cert for zones who have subdomains with underscores?
I'm not sure about the underscore issue - most CAs don't allow names starting with underscores nowadays, but certificates with wildcards require DNS domain validation instead of http.
One thing to know for @paulehoffman is that the DNS validation method is not supported by certbot --nginx (which only supports the HTTP validation method). So, the consequence is that you can't get wildcard certificates using certbot --nginx at all.
...but you can combine -i nginx with -a ${dns-plugin-youre-using} and force the wildcard hostname with -d
Although I'm not sure if that also works for wildcard certs.. I.e., if Certbot is smart enough to recognise the wildcard cert would "fit" the underscore hostname in nginx.
Thanks for the replies. It makes total sense that --nginx wouldn't be able to find the right HTTP server to modify for the underscore name. I was going to pursue the suggestion from @Osiris, but a different person told me that some browsers (maybe only in the past) would refuse to open web sites with underscore names regardless of the cert status. This unfortunately makes sense, and makes me regret even further the fact we didn't get this right for PKIX in 1997ish when we had the chance.
The various committees and standards over time have left things kind of confusing: names with underscores are valid in domain names (things you can put in DNS) but not in host names (things that have a URL). Since they're not valid in hostnames, no publicly-trusted CA will issue a certificate for a name that includes an underscore. As you surmise, you might be able to use a wildcard certificate to work around it in some browsers, in some cases, but you may run into other issues.
