How to issue wildcard certificate for a domain from letsencrypt

Unlikely that it would be, as ACME v2 is very new (and I don't believe it's yet supported by the production server)

It's really a pretty rare case where a wildcard cert would be needed. In most cases, you know what hostnames you're going to use, and they don't change. In those cases, no, there's no reason to bother with a wildcard cert--just issue a cert that covers all the hostnames you want. This has been possible since the system went live two years ago, and covers the large majority of the cases for which people think they need a wildcard cert.

Thank you danb35.

I know the hostnames and they donā€™t change, but relying on the manual method, Iā€™ve had to create a separate ssl cert for each sub-domain, and then ask my host to install each cert.

Quite laborious every 3 months, with the time-difference, and waiting for my host to install the cert.

So, in my thinking, itā€™d be quicker all round to have a single wildcard certificate to cover all my domains and sub-domains.

Is that what you advise?

Does the manual method permit the creation of one ssl cert to cover several rations of a domain or domains?

If your host now supports Let's Encrypt, what I'd advise would be to request a single cert with all your hostnames on it. Presumably your host's support includes automatic renewal, so once you've done that, you're set.

Without knowing what "manual method" you've been using, I can't say for sure, but most methods I know of do allow this.

The manual method I refer to is not to use Certbot, but use the LE online form and ZeroSSL to manually verify my domains and create a ssl and then send that to my host to install for me.

I have not investigated how my hosts LE integration functions, Iā€™ll wait until my next renewal is due to do that. Hopefully, it will have auto-renewal included.

It sounds like I donā€™t need any wildcard SSL cert then :slight_smile:

ZeroSSL supports multiple domains on a single certificate request like most Let's Encrypt clients. So yes, you could issue a single cert that way that covers all your hostnames.

I'd suggest you start well in advance, just in case problems crop up.

As noted above, I don't think most people do.

Okay I'll give it a try next renewal.

Thanks for the tip.

There's more on this topic here:

Hi!

I am also waiting for the wildcard certificates to be available.

I would like to ask you about this:

Would this work if I do not have access to those subdomains from the machine where the certificate is issued? A simple scenario for this would be requesting the certificate from an EC2 instance that resolved from www.mydomain.com and I also have a CloudFront distribution at static.mydomain.com and an ELB at lb.mydomain.com.

Would it work if I am asking the certificate from that instance for all these subdomains?

It depends.

Proxies (such as an ELBs and Cloudfront distributions) shouldn't affect the ability to issue certificates for those domains.

After all, sending GET /.well-known/acme-challenge/test.txt to each of those domains should eventually generate the same request on the EC2 instance, right? Just adding some extra hops.

On the other hand, if all three of those domains do not serve the same content, then you would need to figure out how to upload the validation files to each domain's respective webroot.

However the wildcard certificate would be a much faster solution in this case, wouldnā€™t it?

Youā€™ll need to use the DNS challenge to get a wildcard certificate anyway, and if you have that ability, you can use it now to validate each individual subdomain. The DNS challenge can be completed from any machine that has access to your DNS API credentials.

1 Like

I haven't seen that Certbot can do DNS challenge. Well that simplifies my situation I believe. I will try it right now and come back with a response!

It depends on how you installed Certbot, which version you have, and which DNS provider you use.

...or there are plenty of other clients that do; one of the more popular seems to be acme.sh.

Are you guys still on track to release ACMEv2, wildcard, and a compatible Certbot by February 27?

Also, will the format of the command line and the manually generated CSRs I use (with the exception of allowing wildcards) still be the same?

A post was split to a new topic: Persistence of domains added to certificate with Plesk

Are wildcard certs available now, since yesterday was February 27th? Where can the details/documentation for that be found?

@GiantNinja, It's been delayed. :frowning: See here:

1 Like

Agreedā€¦ Quality is definitely more important here than making an arbitrary deadline. I just didnā€™t see any update on that, so I appreciate the reply. Keep up the great work!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Wildcard support is available since March of 2018. Please see this post for details: ACME v2 and Wildcard Certificate Support is Live