Follow-up after 1 year


#1

Related topic: Best Practices Using a Perl Client Module?

(sorry for the length of this)

We have been using Let’s Encrypt for 1 year now, and for the most part, everything is good.

Quick refresh: We maintain a large content management system (FreeToastHost) that produces free websites for Toastmasters public speaking clubs and districts (districts contain and support clubs) via forms and a website template to insert info from the forms.

We have created, housed on our server, and renewed the LE SSL certs for the 800+ user-registered domains that point to our server. We have a cron job that handles the renewals on a regular cycle and I have been able to basically forget about it for a while now which makes me happy. :wink:

With the release of ACME v2, though, I would like to take it to the next level. We also have two top-level domains, toastmastersclubs.org and toastmastersdistricts.org that we control the registrations for and routinely create & delete subdomains for (each subdomain maps to a club or district).

toastmastersclubs.org has 11,000+ subdomains and toastmastersdistricts.org has 40+ subdomains (significantly less).

Before ACME v2, we got a donated wildcard cert for toastmastersclubs.org and I cobbled together a strategy for toastmastersdistricts.org using the alternative name feature of the cert. (SAN?)

I would like to put each of the two on a LE wildcard cert. I understand that I can only use DNS challenges for LE issued wildcard certs, correct? Does this wildcard cert scenario sound like a good use case for using CertBot? (I have not used it yet.)

Lastly, I am a bit confused about what the real difference is between issuing a cert and renewing it. I think I have been basically issuing new certs for our user registered domains when their renewal is due. Does this really matter? (any downsides?)


#2

Yes, but you’ll need to source a DNS validation hook for Certbot, since it doesn’t support GoDaddy DNS hosting natively.

A couple seem to exist:

There are some ACME clients that support GoDaddy natively, such as acme.sh.

The main respect in which they are different is when it comes to the CA-side calculation of rate limits for the domain (Renewal Exemption: renewals contribute to but are not blocked by rate limits). Otherwise they are essentially the same operation.


#3

better yet, install acme-dns and use that to handle your dns management for the challenges. this is more secure than leaving the godaddy credentials on your server.


#5

Hmmm, not familiar w/ DNS validation hooks… Anything I can read on them?

I would want to set up the renewals in cron jobs… Any reason these would create problems w/ that approach?


#6

acme-dns is a lightweight, limited-use API-driven dns server created to answer ACME dns challenges

you install the server on your systems, then cname the acme-challenge records onto it. the authentication hooks/libraries (on the bottom of the project’s page) will drive the acme-dns api to set the challenges for you.

Aside from allowing anyone to run an API driven dns validation service, the big problem acme-dns solves is: security. In order to perform automatic renewal, certbot needs unencrypted API keys left on the server. Most DNS vendors don’t have fine-grained permission controls - their API keys allow for A/MX records to be changed, some even allow for domains to be transferred or sold. ACME DNS eliminates these risks by letting you set up a DNS verification service independent from your normal DNS services. If your server gets hacked, control of your domain and dns records will not be compromised by those keys.

Many people on this forum use it and post how-tos, the project page is here:


#7

I just got a follow-up question I thought I would to forward on…

Given that our one top level domain toastmastersclubs.org typically has around 11000+ subdomains would we have to issue a new challenge every time we add a subdomain to it?

I thought that it would only be one challenge on the top level domain… it would be wildcard cert after all.

  • Steve

#8

If you get a wildcard certificate, you don’t need to do anything when you add new subdomains. That’s one of the big advantages of wildcards.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.