How to issue wildcard certificate for a domain from letsencrypt


#1

Hi All!

I have been knowing for a very long time that Letsencrypt will be starting wildcard certificates according to below link:
https://community.letsencrypt.org/t/wildcard-certificates-coming-january-2018/37567

My question is how and what to execute to get *.mycompanyname.com certs. I have 8 domains in my company for which I needed the wildcard certs for.

Ex:

Please help me out on this or guide/refer me any link how to get all these wildcard certs. Right now I’m manually updating the renewal for all this domain and login into the particular server and doing it. Any help would be much appreciated.


#2

Wildcards are not available yet - you have to wait a bit longer (end of February, I believe). See: https://letsencrypt.org/2017/12/07/looking-forward-to-2018.html

First, we’re planning to introduce an ACME v2 protocol API endpoint and support for wildcard certificates along with it. Wildcard certificates will be free and available globally just like our other certificates. We are planning to have a public test API endpoint up by January 4, and we’ve set a date for the full launch: Tuesday, February 27.

and https://letsencrypt.org/upcoming-features/:

ACME v2 API

ETA: February 27, 2018

Wildcard Certificates

ETA: February 27, 2018


#3

The correct link: https://letsencrypt.org/upcoming-features/


#4


Update, January 4, 2018
We introduced a public test API endpoint for the ACME v2 protocol and wildcard support on January 4, 2018. ACME v2 and wildcard support will be fully available on February 27, 2018.


#5

It’s worth stating that in most cases a wildcard isn’t needed (or preferable) and it’s often very simple to just request a certificate with multiple SAN entries (using the certbot client you could just add multiple -d entries: -d stage.mycompanyname.com -d preprod.mycompanyname.com -d qa-stage.mycompanyname.com).


Pair.com now Integrated, but
#6

Thanks for this clarification. I know for the sake of progress the decision was made to start issuing wildcard certs.

The only time I have ever used them was for convenience however, but cert automation obliterated that convenience and made everything more secure (90 day issuance instead of a year or even longer!)

So I wrote all that to ask this:

Are there some write-ups somewhere regarding really good / understandable use cases as to why wildcard certs became an inevitable service Let’s Encrypt had to offer?

I am sure there are a myriad of them but in my day-to-day I have yet to run across a need especially since DNS-01 solves many non public website issues anyway and it appears that will still be necessary for wildcard certs.

Maybe the convenience of not having the write, potentially, hundreds of DNS TXT records for bigger shops? But again that is conjecture on my part and am curious for some real-world hardship examples so I can go “AH HAH! Thats why”

Cheers.


#7

@NickThrew I don’t believe there is a list or final argument that decided it. There are certainly some cases where it does make sense, Sandstorm.io is the one that usually comes to mind for me. There are a variety of other cases where it will significantly reduce the frequency with which a multi-SAN cert would need to be updated and replaced (e.g. SaaS architectures, hardware loadbalancers, proxy systems in public infrastructure like libraries). Some have argued privacy reasons.

Here’s a link to one of the threads where people explain why they believe wildcards are needed: Please support wildcard certificates


#8

shouldnt that be linked somewhere on the homepage? I didnt really find it.


#9

@My1 It’s listed in that page: https://letsencrypt.org/docs/ , available from the “Documentation” link on the top. (But yes, it’s not really highlighted.)


#10

Oh that is a surprise.

I don’t use Certbot, I’ve used the manual method for the last six months. My host has recently instituted LE integration (hopefully ACME v2).

I run a handful of domains, so are you saying it may be better for punters like me, NOT to bother with wild-cards?


#11

Unlikely that it would be, as ACME v2 is very new (and I don’t believe it’s yet supported by the production server)

It’s really a pretty rare case where a wildcard cert would be needed. In most cases, you know what hostnames you’re going to use, and they don’t change. In those cases, no, there’s no reason to bother with a wildcard cert–just issue a cert that covers all the hostnames you want. This has been possible since the system went live two years ago, and covers the large majority of the cases for which people think they need a wildcard cert.


#12

Thank you danb35.

I know the hostnames and they don’t change, but relying on the manual method, I’ve had to create a separate ssl cert for each sub-domain, and then ask my host to install each cert.

Quite laborious every 3 months, with the time-difference, and waiting for my host to install the cert.

So, in my thinking, it’d be quicker all round to have a single wildcard certificate to cover all my domains and sub-domains.

Is that what you advise?

Does the manual method permit the creation of one ssl cert to cover several rations of a domain or domains?


#13

If your host now supports Let’s Encrypt, what I’d advise would be to request a single cert with all your hostnames on it. Presumably your host’s support includes automatic renewal, so once you’ve done that, you’re set.

Without knowing what “manual method” you’ve been using, I can’t say for sure, but most methods I know of do allow this.


#14

The manual method I refer to is not to use Certbot, but use the LE online form and ZeroSSL to manually verify my domains and create a ssl and then send that to my host to install for me.

I have not investigated how my hosts LE integration functions, I’ll wait until my next renewal is due to do that. Hopefully, it will have auto-renewal included.

It sounds like I don’t need any wildcard SSL cert then :slight_smile:


#15

ZeroSSL supports multiple domains on a single certificate request like most Let’s Encrypt clients. So yes, you could issue a single cert that way that covers all your hostnames.

I’d suggest you start well in advance, just in case problems crop up.

As noted above, I don’t think most people do.


#16

Okay I’ll give it a try next renewal.

Thanks for the tip.

There’s more on this topic here:


#17

Hi!

I am also waiting for the wildcard certificates to be available.

I would like to ask you about this:

Would this work if I do not have access to those subdomains from the machine where the certificate is issued? A simple scenario for this would be requesting the certificate from an EC2 instance that resolved from www.mydomain.com and I also have a CloudFront distribution at static.mydomain.com and an ELB at lb.mydomain.com.

Would it work if I am asking the certificate from that instance for all these subdomains?


#18

It depends.

Proxies (such as an ELBs and Cloudfront distributions) shouldn’t affect the ability to issue certificates for those domains.

After all, sending GET /.well-known/acme-challenge/test.txt to each of those domains should eventually generate the same request on the EC2 instance, right? Just adding some extra hops.

On the other hand, if all three of those domains do not serve the same content, then you would need to figure out how to upload the validation files to each domain’s respective webroot.


#19

However the wildcard certificate would be a much faster solution in this case, wouldn’t it?


#20

You’ll need to use the DNS challenge to get a wildcard certificate anyway, and if you have that ability, you can use it now to validate each individual subdomain. The DNS challenge can be completed from any machine that has access to your DNS API credentials.