Please support wildcard certificates


#22

@schoen maybe as an alternative is using SAN and allow a preset template of common subdomains to listed.

So end user could create a template of common subdomains

sub1.domain.com
sub2.domain.com
sub3.domain.com

Then run the client against the template and generate a SAN SSL cert with those subdomains ?

Some folks like myself have common subdomain hosts which I create i.e. blog, news, support, forums, community, portal, downloads, email, mail, shop, cdn, cdn2, cdn3, image, image2, image3, static etc. For subdomains I have a preset ist of ~100 subdomains which are most used for myself :slight_smile:

ssl crt, csr, and key size wise it would be much larger though. Probably, would help to have ECC 256 bit SSL support so that you can reduce the size by up to 66% :slight_smile:


#23

Wanted to share another specific use case that requires wildcard certs. https://sandstorm.io is a system that attempts to make installing open source apps easier for folks less tech-minded. When an instance is created, it uses a random wildcard domain. I’m not sure of the technical details, but you can read all about it on their website.

Let’s Encrypt wildcard cert support would be helpful for folks wishing to create a self-hosted sandstorm instance accessible via SSL/TLS.


#24

It’s true wildcard certificates may be useful for these cases but I think a better solution would be for Sandstorm to integrate with LE directly and request/validate a certificate as part of it’s service deployment process. This would keep the complexity ‘behind the curtain’ so to speak and be a better choice for cross-subdomain security in general.


#25

The volume of new hostnames a Sandstorm instance generates seems like it would get large quickly.

Paraphrasing from https://docs.sandstorm.io/en/latest/administering/wildcard/
Sandstorm creates cryptographically random hostnames for each session / user / application instance. Sandstorm also segregates documents into separate application instances where possible.

If I was to log in and create 3 etherpad documents, each document has its own hostname as each runs in a separate instance. If I share those documents with a friend, my friend will have a hostname for each document. If I step away and log back in, those 3 original hostnames I accessed documents with are destroyed and I have a new 3…

Sandstorm has a fascinating design, but it pretty firmly requires a wildcard cert. This could be a wildcard on a subdomain–maybe this limitation has value? It would be awesome if someone could install Sandstorm and start hosting their own web apps over HTTPS in a way they could share with a few clicks of effort.

Here’s a thread from the Sandstorm dev list
https://groups.google.com/forum/#!topic/sandstorm-dev/-CvczbyYgmo


#26

We’re aware of this; the Sandstorm developers contacted us several months ago and explained their use case, which makes perfect sense. However, we told them that we couldn’t help them for the time being.


#27

For the benefit of others, I did some research. As of the current date, the cheapest wildcard certificate available is $94/yr from Namecheap reselling Comodo (PositiveSSL brand).


#28

[quote=“riking, post:27, topic:258, full:true”]
For the benefit of others, I did some research. As of the current date, the cheapest wildcard certificate available is $94/yr from Namecheap reselling Comodo (PositiveSSL brand).
[/quote] well there’s cheaper options if you go through resellers and such where you can get wildcards for between US$35-55/yr. I have reseller accounts with a few SSL providers and normally just resell to my private consulting clients or my Centmin Mod Premium members.

Still would be nice for Letsencrypt to offer wildcards as automation process will make it alot easier especially for folks looking at SSL certs for performance reasons i.e. SPDY or HTTP/2


Short certificate period - no useable on multi server scenario
#29

Personally, I’m in favor of LE waiting until they know everything is working right, and some of the weird edge cases are known, before trying to issue wildcards. I’m only running with 4 subdomains right now, so I would be happy with the standard client :slight_smile:


#30

I also vote for wildcard certificates. Of course it’s possible to get by without them, but they make my server management so much easier.

One cert to rule them all!


Please support Multi Domain SSL Certificates like the ones on positivessl
#31

At first I was thinking this was not a needed feature but I can understand the use cases presented. It is something I would like to see but having it at launch it not a damper on the project if you ask me. I don’t think we are going to see a mass exodus to Let’s Encrypt overnight and there will always be people I think that don’t trust it because it is free. I was thinking of using the service in my home lab where it is not feasible for me to spend hundreds if not thousands a year for certificates to run on hand me down hardware. While a wildcard would make this easier for me to add hosts as I try out new products or spin up servers I can live with having to do a few minutes of manual intervention and it is pretty easy to keep a text file or something with all of the SANs I need to reference. It also allows me to re-use a certificate on a server if I have to tear it down and rebuild it due to configuration issue or something. I would hate having a cert that is used for 4 days then never used again. Then on the other hand I see that being better than just using a wildcard to mask all of those changes.

Adding my viewpoint to help add some exposure to the topic.


#32

+1 for wildcard support


#33

+1 for wildcard support

I have 4 domains and multiple sub domains and an xmpp server (ejabberd) on one of those sub domains.


#34

+1 for wildcard support


#35

:+1: +1 for wildcard support.


#36

+1 for wildcard support!

Really all this SSL certificate management is just one big pain in the ***. It is so much easier to have one cert that covers all subdomains as well as the corresponding tld.

Why would anyone even think about leaving wildcards certs behind?

This is a great project! Looking forward to launch!


#37

+1 for wildcard support !


#38

Would love to have wildcard certs supported sooner rather than later.


#39

I would really like wildcard support! I run a (free) service that allows people to choose their own subdomains in real time (and change the subdomain at any time). I would like to be able to offer them SSL, but it would only be possible with a wildcard certificate.

I’m happy to put money towards making this happen for everyone. I’ve created a campaign to help try and make it happen at https://www.co-funded.com/letsencrypt.org/s/Add-support-for-wildcard-certificates


#40

can you provide us with a source where one, as a reseller, can get them for that price (35-55$), please?


#41

GoGetSSL is one… i’m using their GGSSL Wildcard on my forums https://community.centminmod.com and https://sslspdy.com sites