Root domain on one host, wildcard domain on another

Hello, I’m a developer doing some work at infrastructure and without a good background on dns, etc.

TL;DR

Where I work we have many subdomains at the domain given bellow. For every new customer of ours, we create 2 new sudomains, one A and another CNAME. What we’re trying to do nowadays is transferring this logic to a wildcard based one, for which we need a wildcard certificate.

More context

I’m having some trouble with the language here, so here goes a more detailed description:

we have the root domain cidadesaudavel.com and some A and CNAME records for each customer, like

some-customer-city.at-some-customer-state.cidadesaudavel.com and www.some-customer-city.at-some-customer-state.cidadesaudavel.com.cidadesaudavel.com

The customer’s applications are handled by three different hosts, and our root domain is served by a fourth. We are trying to use/create a wildcard certificate for a fifth host to where we are migrating our infrastructure step by step, while solving the problem of having to create a new certificate for every new customer.

The main point

What I would like help is with how can we manage the creation and administration of the wildcard certificate, taking into account that the domain points to a host, and the wildcard certificate would be placed into another.

I currently don’t know if this is the best approach, If here is the best place for opening this topic, but any help would be greatly appreciated.

If you people know any good resource on the topic, sharing would also be really helpful.

More info

My domain is: cidadesaudavel.com

My web server is (include version):

Package: apache2
Version: 2.4.29-1ubuntu4.14

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I don't understand this part. If a client connects to "a host" (like in the first part of your sentence), the certificate would need to be at that host. What role does the "another" host have here?

The only way to obtain a wildcard certificate (right now) is to use the DNS-01 challenge, so in terms of obtaining and administering certificates... you'll need to use this method.

Since the domains belong to your clients and not you, you will need to control their DNS records. This will likely be an issue for them, so you will need to use a system in which you have them delegate the DNS authorization to something you control, like an acme-dns instance.

Since DNS-01 is being used, you can run certbot on any machine (a webserver or your laptop) to obtain a certificate for both the wildcard and root for each client, and then deploy them onto your machines (rsync, etc).

You could also just run cerbot on the various machines - one gets a wildcard with the DNS-01 challenge, the other gets the root domain with a HTTP-01 or DNS-01 challenge.

I think it would be much easier to group the certs by client though, and just distribute them to the machines.

Based on their words and domain name, I am assuming @leolleocomp uses English as a second (or third) language and is a native Portuguese speaker.

@leolleocomp I think I understand what you meant, but I could be wrong. My Portuguese is absolutely terrible, but there is a dedicated forum here if you feel more comfortable posting in your first language -- Ajuda (em português) - Let's Encrypt Community Support

Hi @leolleocomp

can you explain that? Why one A, one CNAME? A sample is helpful.

Only subdomains of cidadesaudavel.com or with an additional customerdomain (something like yourservice.customercompany.com)?

You can create one certificate with one domain name (main domain or wildcard). Normally, a wildcard certificate has both domain names -> create one certificate (via dns validation), then use / deploy it to different servers.

If the two hosts are independent, their certificates will be independent. You can obtain a wildcard certificate from one host, and the other certificate from the other host, no problem. Just make sure the challenges can go through.

Hey, thank you! You’re right I’m a native Portuguese speaker. The english is more for practicing purposes so I’m forcing myself into writing, reading, and when I get the chance speaking. I think I can solve the understanding problems with more examples. Anyway, if it becomes troublesome for me and the people trying to help I’m going for the Portuguese alternative.

I edited the text trying to make it more informative, it helped? Also thank you for your time.

Hello @jvanasco, thank you for the reply! Sorry for not making it clear the message in my topic, but we actually control the certs, domain, and etc of our customers, so we have control here. I’m thinking about your words on the cerbot on the various machines, I’m going to try this approach.

I’ve edited the topic and tried to better describe the scenario.

Can you define what a “host” is to you?

• VirtualHost or a server block in apache/nginx/etc
• An application
• A machine

Based on your context, I interpreted it as a specific machine.

Another option to consider is terminating SSL on a gateway or webserver which can do an “autocert” and obtain a certificate on demand. Caddy does this out-of-the-box, there are plugins for other web servers and gateways. In this model, you wouldn’t care about matching a certificate to a host, server or application – all the certificates and SSL Termination happen where the Internet meets your intranet.

But if you want wildcards, you need to use the DNS-01 challenge and will have to design your solution around that.

Thank you again! In the text I was using host but trying to say machine, you’re right.
I’ll think about this other option, and take the issue about wildcard into account when discussing the trade-offs with the team I work with.

Thank you for the reply. I’ve detailed it a bit better after the feedbacks.

There are only subdomains for every customer, the CNAME is used for www, like www.somecity.somestate.com -> points to -> somecity.somestate.com .

I am taking notes on the options you people are giving to evaluate later. Most of the problem is my lack of technical knowledge around dns, ssl and etc.

Thank you! I didn’t know that. Possibly this is what solves the issue for the team, for the setup we have right now. Probably what lives at the heart of the problem is the lack of technical knowledge from my part.

Please note that the term “domain” has become ambigous.
In Javascript-Context it describes basically a host (identified by its domain name) from which scripts are loaded.
in DNS context a domain is a named collection of objects (a named zone); objects are represented by records. Objects of type host are for example in A, AAAA oder CNAME records; sub-domains can also be included in a domain.
The one zone that has no name is called the root zone.

By this terminology, you are creating two host entries in the DNS zone (domain), which each act as domains in the Javascript sense.

This is pretty confusing, especially for old farts like me who are used to DNS terminology from a time where Tim B.-L. had not even specified http…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.