Let's Encrypt Free wildcard SSL

Hello there,
i am creating an ansible script to create free wildcard ssl for my multiple domains. i can create those ssl certificates manually but facing issue while doing it via ansible, because the command we using to create wildcard ssl it will provide us a TXT record value, but i am unable to update that TXT vaule on the fly, is there any way by which i can automate this process.

My domain is: livesem.co.il

I ran this command: certbot certonly -d '*.livesem.co.il' --manual --preferred-challenges dns

It produced this output: unable to get TXT record value via ansible.

These two things really go hand in hand: to automate the process, you'll need to be able to add (and remove) the TXT record in an automated fashion.

1 Like

But what if i don't have access to dns provider? i can only point * value to the dns.
any thoughts ?

How do you mean you can only add * resource records?

The validation server follows CNAME RRs, perhaps you can do something with that?

1 Like

Then you will be unable to create a wildcard certificate.

1 Like

Is there any API from let's encrypt from where we can send wildcard request and get the TXT value and i will update that value in dns record manually ?

can you please guide me how can i implement the CName method to validate the ssl's

*wildcard ssl basically

Yes, most acme clients (including Certbot) support manual DNS validation, which is what you are asking for.

1 Like

please let me know method of how we can do creation of wildcard ssl's using CNAME method ?

yes, i need CNAME method of dns validation

Do you? Is there another DNS server that you can update automatically?

In principle, the "CNAME method" is simple--create a CNAME record pointing _acme-challenge.whateverdomainyouwantacertfor.com to domainwhosednsyoucontrol.com. Then, instead of needing to make automated DNS updates for _acme-challenge.whateverdomainyouwantacertfor.com, you'd instead make them for domainwhosednsyoucontrol.com. But you still need to be able to make automated DNS updates to something in order for wildcards to be usable.


Thanks alot for your update, can you please do one more favour?
please tell me what parameter should i pass into the certbot command during ssl creation time ?
that would be really helpful for me.

Thanks in advance.

Do you mean you have no access to the DNS provider, or that you do not have easy access to the DNS?

If you have no access at all to DNS, you can not get a wildcard.

If you do not have easy access, but can work with whomever manages DNS, you can delegate authority for the domains to another DNS provider with acme_challenge records. The popular way to do this is by running an instance of ACME-DNS, and having the main dns record delegate authority to it.

yes i don't have easy access to that dns.
Suppose i want to create free wild-card let's encrypt ssl certificate for a domain via ansible scripts , i can't find the TXT record on the fly during ansible execution . so i want a alternative way that how i can easily create ssl's without TXT records.

hey @danb35 just a gentle reminder, any update on this ?

Any update on what? I'm not your personal tech support, and I already gave you the answer.

Then, as I said yesterday, you will be unable to get a wildcard cert.

hey @danb35 please don't get me wrong, sorry if you mind it.

@danb35 i was talking about this thread. please let me know what parameter should i pass into certboat command while creating ssl's with cname method which you mentioned yesterday.

repeating what @danb35 said, that is not possible.

If you don't have easy access, but can access the master zone record, you can enter an _acme-challenge record that delegates control to a DNS server you can more easily manage.

This sounds like an anti-pattern. ansible is typically used to launch/control ephemeral virtual servers. provisioning a certificate via letsencrypt during these types of processes is discouraged as it typically causes rate-limit and other errors for those who implement it. a better model is to centrally provision the certificates and have ansible pull from there OR use a system that persists certificates across server creations.

1 Like