How to issue wildcard certificate for a domain from letsencrypt

danb35 · February 14, 2018, 1:23pm

Unlikely that it would be, as ACME v2 is very new (and I don’t believe it’s yet supported by the production server)

It’s really a pretty rare case where a wildcard cert would be needed. In most cases, you know what hostnames you’re going to use, and they don’t change. In those cases, no, there’s no reason to bother with a wildcard cert–just issue a cert that covers all the hostnames you want. This has been possible since the system went live two years ago, and covers the large majority of the cases for which people think they need a wildcard cert.

PeaceComesFree · February 14, 2018, 2:21pm

Thank you danb35.

I know the hostnames and they don’t change, but relying on the manual method, I’ve had to create a separate ssl cert for each sub-domain, and then ask my host to install each cert.

Quite laborious every 3 months, with the time-difference, and waiting for my host to install the cert.

So, in my thinking, it’d be quicker all round to have a single wildcard certificate to cover all my domains and sub-domains.

Is that what you advise?

Does the manual method permit the creation of one ssl cert to cover several rations of a domain or domains?

danb35 · February 14, 2018, 2:32pm

If your host now supports Let’s Encrypt, what I’d advise would be to request a single cert with all your hostnames on it. Presumably your host’s support includes automatic renewal, so once you’ve done that, you’re set.

Without knowing what “manual method” you’ve been using, I can’t say for sure, but most methods I know of do allow this.

PeaceComesFree · February 14, 2018, 2:38pm

The manual method I refer to is not to use Certbot, but use the LE online form and ZeroSSL to manually verify my domains and create a ssl and then send that to my host to install for me.

I have not investigated how my hosts LE integration functions, I’ll wait until my next renewal is due to do that. Hopefully, it will have auto-renewal included.

It sounds like I don’t need any wildcard SSL cert then

danb35 · February 14, 2018, 2:49pm

ZeroSSL supports multiple domains on a single certificate request like most Let’s Encrypt clients. So yes, you could issue a single cert that way that covers all your hostnames.

I’d suggest you start well in advance, just in case problems crop up.

As noted above, I don’t think most people do.

PeaceComesFree · February 15, 2018, 1:26am

Okay I’ll give it a try next renewal.

Thanks for the tip.

There’s more on this topic here:

barbu110 · February 15, 2018, 9:44pm

Hi!

I am also waiting for the wildcard certificates to be available.

I would like to ask you about this:

Would this work if I do not have access to those subdomains from the machine where the certificate is issued? A simple scenario for this would be requesting the certificate from an EC2 instance that resolved from www.mydomain.com and I also have a CloudFront distribution at static.mydomain.com and an ELB at lb.mydomain.com.

Would it work if I am asking the certificate from that instance for all these subdomains?

_az · February 15, 2018, 9:55pm

It depends.

Proxies (such as an ELBs and Cloudfront distributions) shouldn’t affect the ability to issue certificates for those domains.

After all, sending GET /.well-known/acme-challenge/test.txt to each of those domains should eventually generate the same request on the EC2 instance, right? Just adding some extra hops.

On the other hand, if all three of those domains do not serve the same content, then you would need to figure out how to upload the validation files to each domain’s respective webroot.

barbu110 · February 15, 2018, 10:15pm

However the wildcard certificate would be a much faster solution in this case, wouldn’t it?

jmorahan · February 15, 2018, 10:15pm

You’ll need to use the DNS challenge to get a wildcard certificate anyway, and if you have that ability, you can use it now to validate each individual subdomain. The DNS challenge can be completed from any machine that has access to your DNS API credentials.

barbu110 · February 15, 2018, 10:17pm

I haven’t seen that Certbot can do DNS challenge. Well that simplifies my situation I believe. I will try it right now and come back with a response!

schoen · February 15, 2018, 11:36pm

It depends on how you installed Certbot, which version you have, and which DNS provider you use.

danb35 · February 16, 2018, 12:00am

…or there are plenty of other clients that do; one of the more popular seems to be acme.sh.

BFeely · February 16, 2018, 3:27am

Are you guys still on track to release ACMEv2, wildcard, and a compatible Certbot by February 27?

Also, will the format of the command line and the manually generated CSRs I use (with the exception of allowing wildcards) still be the same?

schoen · February 26, 2018, 4:11pm

A post was split to a new topic: Persistence of domains added to certificate with Plesk

GiantNinja · February 28, 2018, 2:14pm

Are wildcard certs available now, since yesterday was February 27th? Where can the details/documentation for that be found?

jurekam · February 28, 2018, 3:02pm

@GiantNinja, It’s been delayed. See here:

GiantNinja · February 28, 2018, 2:22pm

Agreed… Quality is definitely more important here than making an arbitrary deadline. I just didn’t see any update on that, so I appreciate the reply. Keep up the great work!

system · March 30, 2018, 11:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

jsha · September 20, 2018, 8:05pm

Wildcard support is available since March of 2018. Please see this post for details: ACME v2 and Wildcard Certificate Support is Live