Documentation for DNS plugins and wildcard request is confusing


#1

Sorry about not following the posting template but my question is about site documentation. As of 2018-09-07, this webpage:

https://certbot.eff.org/docs/using.html#dns-plugins

contains a table of plugins. The entry for “DNS plugins” contains this description:

“This category of plugins automates obtaining a certificate by
modifying DNS records to prove you have control over a
domain. Doing domain validation in this way is
the only way to obtain wildcard certificates from Let’sEncrypt.”

That caused me confusion for a couple days because I saw many examples of people using the “manual” authenticator to obtain wildcard certificates.

Am I being too picky or should that description (… is the only way to obtain wildcard certificates…) be modified or elaborated?

Thanks.


#2

I feed you’re right.

"modifying DNS records " is indeed the only way to get a wildcard certificate, but of course you can do it either using a DNS plugin or manually.

Maybe you can suggest a modification of this file https://github.com/certbot/certbot/blob/master/docs/using.rst#getting-certificates-and-choosing-plugins by opening an issue https://github.com/certbot/certbot/issues or by a PR?


#3

Indeed, in its current form it’s incorrect. A little bit of nuance could improve it.


#4

I think I may have written this text originally and “in this way” is meant to refer to DNS-01 challenges rather than to Certbot DNS plugins. I can see that that’s confusing in its context.


#5

My first thought to improve clarity would be to remove the reference to wildcards from the ‘Notes’ column for the DNS Plugins row and associate it with the ‘dns-01’ occurrences in the ‘Challenge-type’ column.

Specifically, put a footnote symbol next to ‘dns-01’ wherever it occurs and add a table footnote indicating that ‘dns-01’ is the only challenge-type that can be used to obtain wildcard certs. Since only DNS Plugins and Manual allow that challenge-type, they are the only ones that can be used for wildcards certificates.

Maybe there is something better.

I could try to open an issue as was suggested, but hopefully there is someone (Certbot engineer above ?) who knows that process better than I who could do that. Not trying to duck out of work but I’ve never done that.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.