Please ONLY support wildcard certificates

Someone closed the old thread.

+1 to Please support wildcard certificates

Wildcard certificates are the best. Why not ONLY issue wildcard certificates?

1 Like

Because they are risky in sme place.
Example dyndns.org

3 Likes

but any normal CA would let you issue subdomain and/or wildcard certs if you control the root (usually proved by DNS record or whois/admin mail address)

Also, your usual CA would make you verify ownership by hand and demand money for the cert.

money, true.
but well the verification relies on the type of cert and (for a DV) clicking a link in an email or entering a code from there is at least compatible with every system and not even complicated or annoying, unlike manual mode for Letsencrypt, which to top it off has to be done every 90 days.

I’m just hinting that LE is not your ‘usual’ CA.
Verifications (their usability) are being worked on, which is precisely why GA has been pushed to a later date.

yeah. but I hope they will make some webinterface for easy making of certs without doing all the stuff with the client since right now it’s way too complicated for me (I have to run the client on my raspi push a lot of different webroot challenges to my PC which acts as server) just to get my domains working. I wish they could let each user use one file on all domains he uses which is linked to the account key so that works a LOT easier…

honestly I’d rather confirm my whois mail and drop a CSR in the browser and get my SAN, a lot easier and straightforwanrd for me.

and I dont need some potentially insecure or unstable software that updates itself (what happens if their github account gets hacked or just a human mistake) and the server will crash or open some security holes (we remember, thing thing runs as root, and automatically) so I’d rather do such stuff myself.I dont really want to run anything as root while I cannot have an eye over it.

webinterface

Yes, I've already heard that idea from you and it does sound nice. Maybe you could write a preliminary spec for it / describe how it should look and work?

one file on all domains

If I understand you right, you propose a single SAN cert for all domains. So, if the cert get compromised in one place, all of your other domains are auto compromised. Not good.

software that updates itself

Yes, the 'auto-update through own channels' idea does sound Bad to me. letsencrypt should be packaged and delivered via repositories, I think.

this thing runs as root

Well, it doesn't have to. AFAIK no one has yet really gone over security yet, but it can be jailed quite well, starting from the obvious privdrop and ending in SELinux policies. Systemd also provides some nice instruments: systemd.exec.
Another option: run ACME client on a dedicated machine, have Ansible/Chef/Puppet/whatever scenarios for auth and rotation. This way you can have a very minimal client which does not need any elevated privs; the only thing you launch elevated are trivial scenarios.

well I rather mean the verification, no matter whether I want SAN or not I dont really want to copy an paste 14 (latest count) files names AND contents from SSH to my Laptop but rather get one file that is associated to my account and paste that to my sites webroot

well I dont know much about the jailing and whatever I am not that much with linux and my raspi is just the means for the purpose. I think if the acme spec didnt change then the user should get the whole update scenario as an option because this thing takes an eternity to start (and asks for my password because of sudo somewhere in the middle)

also I do run the acme on a dedicated machine (my raspi), because I have no other way but the verification with manual gets annoying and because my domains have different webrrot paths on the other machine, good luck.

and what are Ansible/Chef/Puppet?

I dont really want to copy an paste

Ah, I see. Have you filed a bug for this?

what are Ansible/Chef/Puppet

That's a question a search engine easily answers.

well ansible maybe but chef and puppet are really common words, so well…

Wiki works: https://en.wikipedia.org/wiki/Chef_(disambiguation) -> Chef (software)

If you hate the copy and paste, a webinterface won’t make anything better for you. Additionally, that webinterface would have to know your private account key (but not domain key).

I suppose it could be self-hosted.

well it could be done indirectly by using the account key for a client side certificate.

but only wildcard (to get a bit back to topic) is stupid at its own because if my webmail for example is on another server than the rest I dont really want to wildcard that because the server then could actually impersonate the whole domain.