Unlikely that it would be, as ACME v2 is very new (and I don't believe it's yet supported by the production server)
It's really a pretty rare case where a wildcard cert would be needed. In most cases, you know what hostnames you're going to use, and they don't change. In those cases, no, there's no reason to bother with a wildcard cert--just issue a cert that covers all the hostnames you want. This has been possible since the system went live two years ago, and covers the large majority of the cases for which people think they need a wildcard cert.
I know the hostnames and they donāt change, but relying on the manual method, Iāve had to create a separate ssl cert for each sub-domain, and then ask my host to install each cert.
Quite laborious every 3 months, with the time-difference, and waiting for my host to install the cert.
So, in my thinking, itād be quicker all round to have a single wildcard certificate to cover all my domains and sub-domains.
Is that what you advise?
Does the manual method permit the creation of one ssl cert to cover several rations of a domain or domains?
If your host now supports Let's Encrypt, what I'd advise would be to request a single cert with all your hostnames on it. Presumably your host's support includes automatic renewal, so once you've done that, you're set.
Without knowing what "manual method" you've been using, I can't say for sure, but most methods I know of do allow this.
The manual method I refer to is not to use Certbot, but use the LE online form and ZeroSSL to manually verify my domains and create a ssl and then send that to my host to install for me.
I have not investigated how my hosts LE integration functions, Iāll wait until my next renewal is due to do that. Hopefully, it will have auto-renewal included.
It sounds like I donāt need any wildcard SSL cert then
ZeroSSL supports multiple domains on a single certificate request like most Let's Encrypt clients. So yes, you could issue a single cert that way that covers all your hostnames.
I'd suggest you start well in advance, just in case problems crop up.
I am also waiting for the wildcard certificates to be available.
I would like to ask you about this:
Would this work if I do not have access to those subdomains from the machine where the certificate is issued? A simple scenario for this would be requesting the certificate from an EC2 instance that resolved from www.mydomain.com and I also have a CloudFront distribution at static.mydomain.com and an ELB at lb.mydomain.com.
Would it work if I am asking the certificate from that instance for all these subdomains?
Proxies (such as an ELBs and Cloudfront distributions) shouldn't affect the ability to issue certificates for those domains.
After all, sending GET /.well-known/acme-challenge/test.txt to each of those domains should eventually generate the same request on the EC2 instance, right? Just adding some extra hops.
On the other hand, if all three of those domains do not serve the same content, then you would need to figure out how to upload the validation files to each domain's respective webroot.
Youāll need to use the DNS challenge to get a wildcard certificate anyway, and if you have that ability, you can use it now to validate each individual subdomain. The DNS challenge can be completed from any machine that has access to your DNS API credentials.
I havenāt seen that Certbot can do DNS challenge. Well that simplifies my situation I believe. I will try it right now and come back with a response!
Agreedā¦ Quality is definitely more important here than making an arbitrary deadline. I just didnāt see any update on that, so I appreciate the reply. Keep up the great work!
See here: