Letsencrypt Wildcard SSL with DNS method

amit_942 · April 12, 2022, 10:25am

Hello guys,

We are providing some cloud services, where we deploy servers for our clients remotely. We also provide temporary domains to our clients for initial usage, for e.g. something.example.com

Now when client add their own domain name for e.g. something.xyz.com , we want to provide lets encrypt wild card ssl's for their own domains > ( something.xyz.com ),

we are using shell scripts remotely on client's servers to generate these wild card lets encrypt ssl.
one method is I am aware of that we can generate ssl using cert-bot command where it gives us a random value and we have to create the TXT record inside DNS and add that random value, but in my scenario i can't get that random VALUE , because we are running remote shell scripts and it can't provide us that random value. i want to automate this thing. For standard SSL we are using certbot to genrate ssl, please let me know the best solution for my scenario.

Thanks in advance.

9peppe · April 12, 2022, 10:30am

The best solution in your scenario is avoid using the dns-01 challenge and evaluate how to obtain the same with either http-01 or tls-alpn-01.

Another option, you can use acme-dns and have them delegate their _acme-challenge DNS label to you. But that's an overkill.

And I don't get why you want to use wildcards instead of certificates for the specific FQDN.

Osiris · April 12, 2022, 10:32am

I don't really follow. Why wouldn't the TXT value be of any use in your shell script? You shouldn't want to do this manually, as @9peppe already mentioned.

amit_942 · April 12, 2022, 10:37am

Hey @9peppe , thanks for quick reply, Actually clients can add multiple domains for their website that is why we are generating wildcard ssl for them, but this process needs to be automated.

and i also saw a CNAME method on lets-encrypt's official documentation , will that help me to achieve my goal ?

9peppe · April 12, 2022, 10:41am

Multiple... how many?

Because managing the dns-01 challenge is hard.

With http-01 or tls-alpn-01 you only need the A/AAAA record pointing to your server.

Imho it's not an issue if you make a certificate for ten subdomains, or even ten different certificates one for each subdomain.

amit_942 · April 12, 2022, 10:52am

@9peppe
Actually we don't want to create ssl again and again, just create a wildcard ssl and then client can add multiple domain, through our application.

FYI : - we have a application for all this , in which clients perform their activities like managing server, restarting services etc,

We want to automate this process of generating wildcard ssl.

9peppe · April 12, 2022, 11:08am

Unless you host their nameservers or you get that cname, it's going to be an incredible mess.

Avoid it if you can.

You will reissue each certificate every two months regardless. Issuing one per service instead of one per registered domain is the way I would do it.

amit_942 · April 12, 2022, 11:12am

how to Add a CNAME record as _acme-challenge and point it to one of the already added domain on that server ?
i think in this blog they are suggesting the same way

9peppe · April 12, 2022, 11:14am

No, you would point it to a subdomain you control completely and could use a DNS API to update automatically the TXT records.

See the acme-dns documentation.

amit_942 · April 12, 2022, 11:23am

Please see the below screenshot , this is reference application , Cloudways.com,

They are generating ssl automatically,

here wordpress-695704-2298218.cloudwaysapps.com is the temporary domain they provide to user and i added a domain livesem.co.il for wildcard ssl, they asked me to add new DNs record _acme-challenge and point to wordpress-695704-2298218.cloudwaysapps.com , i am little confused how they are giving wildcard ssl support.

9peppe · April 12, 2022, 11:25am

When you add that cname, they can use that to put any txt record they want there, thus they can perform a dns-01 validation against your domain.

See here: GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

amit_942 · April 12, 2022, 11:36am

So to achieve this actually i need any developer's help right ?
it will will be achieved using API ?

9peppe · April 12, 2022, 11:39am

I'm inclined to say yes but I also think my answer is meaningless here.

Yes, you will need to install some software and make it work together.

amit_942 · April 12, 2022, 11:44am

ok got it, so basically using their DNS provider i.e. cloudwaysapps.com they will able to add TXT record for my doman i.e. livesem.co.il
am i right ?

9peppe · April 12, 2022, 11:49am

More or less, yes.

The CNAME record literally means "clone every record you see at this other label"

(Including A, TXT, whatever)

amit_942 · April 12, 2022, 11:50am

but when i created this CNAME into my dns , i can't see any TXT record into it, what does it mean ?

9peppe · April 12, 2022, 11:52am

You will see the cname. If you want to see the txt you have to make an actual DNS query.

(And the TXT record used for DNS validation is very short lived, it gets deleted at the end of the validation, it's difficult you'd see it.)

Osiris · April 12, 2022, 1:40pm

@9peppe But that's not how "Cloudways" works apparently. They "require" the CNAME to their DNS server.

@amit_942 What is "Cloudways" anyway?

9peppe · April 12, 2022, 2:07pm

If you tell them you want a wildcard, I guess they have to. (There's a checkbox)

Moreover, they're using the same label for the website and _acme-challenge.

rg305 · April 12, 2022, 3:00pm

@amit_942
At first glance, wild card certs may seem simpler...
But they add a great deal of complexity to the problem.
In your scenario, I would seriously look at NOT using wild cards (unless absolutely necessary).