Must I use one of the listed DNS providers to get Wildcard certificates?


#1

Hi, I’m really confused about the wildcard certificates. This page shows a list of DNS plugins that need to be installed to get wildcard certificates, but I don’t use any of those DNS services. I have my own DNS servers set up. So does this mean I can’t use LE wildcard certificates for any of my domains? If I can, where are instructions on how to do this, as I can’t seem to find them on the certbot website. Thanks!


#2

You can use any DNS service. But for fully automated certificate creation and renewal, you have to use an ACME client and DNS service that can talk to each other.

Certbot has an RFC 2136 dynamic update plugin, which ought to work with most normal DNS servers.

https://certbot-dns-rfc2136.readthedocs.io/en/latest/

Certbot also supports fully manual validation, where you edit the zone file with a text editor when issuing a certificate, or make changes in the DNS control panel, or whatever. But since it’s manual, you lose out on automatic renewal.

You can also write your own plugins in Python, or hooks in any language.

You can also change DNS providers, or delegate a subdomain to a different DNS provider.

If Certbot doesn’t have a plugin for your DNS service, or if it’s hard to install, you can also try to find an ACME client that already does support it.

Edit:

There’s also a simple DNS server called acme-dns designed to be good for ACME validation, and a Certbot hook for it.


#3

Thanks! This goes WAY over my head, so, I guess I’ll just have to stick to creating certificates for every subdomain because I have no idea what most of your reply even means. :slight_smile:


#4

The DNS provider doesn’t have to be one of the listed ones, but it does at least have to support particular technologies. If not, it won’t work.

@joohoi was explaining some of the options in this case.

The reason for this is that the Let’s Encrypt client, like Certbot, needs to be able to make changes to your DNS records, so it needs a technical way of doing that without human intervention (at least if you want the certificate to be able to be renewed automatically, also without human intervention).

You might also want to look at https://acme.sh/, which historically has had much better DNS support than Certbot (in terms of supporting integration with many more DNS providers), although Certbot has made huge progress in this area lately.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.