Future of wildcard certificates obtaining


This post was flagged by the community and is temporarily hidden.


Hi @jaisonkapoor

there are a lot of dns-providers supporting an API. And there are a lot of certbot - plugins.

And there are other clients like acme.sh, which supports 52 dns-apis.

Additional, you can create a CNAME entry:

_acme-challenge.yourdomain.com CNAME -> entry somewhere else who supports an API.

So you have a static CNAME and you can use the API of another dns-provider.

I need one wildcard certificate, my dns-provider supports an api - no problem to automate that.


Hi @jaisonkapoor,

To add to @JuergenAuer’s answer:

There is a policy difference on Let’s Encrypt’s side about wildcard vs. non-wildcard certificates. Unlike other certificates, wildcard certificates can only be issued on the basis of a DNS record validation. This decision was taken in order to prevent fraudulent issuance of powerful wildcard certificates.

Let’s Encrypt aims to have certificate renewal be automated for everyone. This is a more difficult task in the case of DNS validation because people’s DNS services are usually hosted on different servers from their web services, and in many cases on third-party servers that they don’t directly control. For web-based validation like HTTP-01 (used by Certbot’s webroot plug, for example), this is typically much easier to automate because everything is happening within the same server.

In the DNS case, we usually need to update DNS records on another machine in order to perform a renewal. This can be, and should be, automated, but it’s also inherently more difficult to automate because it requires a way to ask the DNS server to create the new TXT records and then to confirm when it’s done so.

As Jürgen said, we do have some DNS pugins that take advantage of DNS provider APIs. When you use one of these plugins, you can automate your DNS updates and thereby automate renewal, even of a wildcard cert. If you’re comfortable with scripting, you can also use the --manual-auth-hook option to tell Certbot about a script that you’ve written; then Certbot will run this script to ask it to update the DNS records at the relevant moment, which will also enable automated renewals.

The ability to get this to work depends on which DNS provider you use and what kind of access you have to make automated updates. I can also recommend another client called acme.sh

which has the broadest range of DNS API support of any existing Let’s Encrypt client.


But the CA/B Forum BR is just fine with http-01-like validation for wildcard certificates. So I assume this is purely a Let’s Encrypt policy?


I think that’s right.


Today I have completed a bash script which can be used as a hook by certbot to obtain wildcard certificates (if you have an own root server). You need to install a local nameserver (I recommend yadifa where this is quite easy), but in this way an automatic renewal is possible.


So, in short, both of these are possible today–you just need to be able to automate updates to your DNS records. If you use one of the many DNS hosts with supported APIs (acme.sh supports over 50 providers’ APIs), you’re set. If you don’t, and you aren’t willing or able to switch, you can host your own DNS for the limited purpose of domain validation using acme-dns. Both of these methods work very well for a great many users.


Thanks @hatto, have you looked at acme-dns?


Yes, I have tried acme-dns. It did not work for me; for some reason the TXT record has not been retrieved by the letsencrypt api2 server. I supposed (!) the cname record used by acme-dns to be the problem. Further, the installation of acme-dns has thrown some 100 MB of software (esp. the compiler for GO) onto my server which did not please me very much.

So I have implemented my alternative approach (which uses only packages provided by my Ubuntu system 18.04) and tried to document it in a decent manner.


I suspect you didn’t download and use the binary available from https://github.com/joohoi/acme-dns/releases?