HTTP validation for wildcard certificates


We will initially only support base domain validation via DNS for wildcard certificates…

Why is it only validated via DNS for wildcard certificates?
You also need to validate via HTTP.
For example, for the wildcard certificate *, confirm domain ownership for
It’s not so difficult to do?


Check this post:

It is a common scenario, when someone controls HTTP server for and, but should not be allowed to obtain certificate valid for, or any other subdomain.


Explain, please 1 moment.
For successful DNS validation, will it suffice on the remote DNS server to manually assign the permissions entry to create and update the wildcard certificate?
Or for DNS validation, you need to have a local DNS server authoritative for the master zone for which we get a certificate and dehydrated will be able to directly write to the the master zone config on the bind?


Most people will probably use their existing DNS servers and use a DNS provider API to update the appropriate records programmatically. This already works for the DNS-01 challenge method today and the same technique should be applicable for wildcard validation. You shouldn’t need to have an additional DNS server.


Please share the link to the detailed description of DNS-01 challenge method.
I can not find it .


I’m found on a third-party resource.

As I expected, or every time to register manually, or to keep the local DNS, which is not acceptable and crooked, if the server is not available, and I have mail, the postmaster of which does not find MX records at that moment and will return the letters back with the 500th code.
For me, it will be easier, how much restrictions will be allowed, to specify all domains in one request for a certificate. :frowning:


A lot of people succeed in using the DNS-01 challenge with automated renewal. They need to have a DNS provider API which allows software to make DNS changes without human intervention.

This can be viewed as a security risk in its own right, but many people have regarded it as a good solution.

There is an approach that reduces these risks, described at


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.