New guy here, so direct me if appropriate to existing post, but I could not find one myself so far.
I have a registered domain, example.com. (I really have one, but I used the general example).
Advice was to use a subdomain for all internal purposes, so that is bud.example.com. I run internal dns servers for this subdomain.
All internal hosts, servers are of the form hostxyz.bud.example.com.
So, for the cert request, should I request a wildcard *.example.com, and request a SAN listing each hostxyz.bud.example.com?
Or, should I simply request a SAN certificate with all the hostxyz subdomains listed?
Just as a reference I read on digicert site that they offer a wildcard cert, and then one does a SAN on that by requesting a duplicate, and listing all the subdomains. Is there a similar procedure on letsencrypt?
You can request whatever combination of SANs you like with Let’s Encrypt1.
Perhaps one like this would suit you:
example.com*.example.com*.bud.example.com
[1]. As long as the SANs are not redundant. e.g. You can’t have both *.example.com and bud.example.com, because the latter is made redundant by the former.
Excellent. Thank-you. That’s a lot easier than I was anticipating.
I will try it out soon.
Actually I recall why I thought this would be more difficult. I was under the impression that a wildcard could only be one level below the registered domain name. Since my registered domain name is example.com, I figured I could only request *.example.com as a wildcard. There can be no dots in the * wildcard part.
*.bud.example.com would not be allowed because bud.example.com is not registered.
Hoping I am wrong. If I am wrong and it is easy, then is that because letsencrypt does some magic with the requests to make it easier for users?
The only requirement with Let's Encrypt is that the wildcard label is the left-most label.
It doesn't have to be next to the registered domain.
Thanks again! Time to try it out.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.