Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: test1.com
I ran this command:
It produced this output:
My web server is (include version): nginx but cert only
The operating system my web server runs on is (include version): ubuntu
My hosting provider, if applicable, is: aws
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
root@www:/home/ubuntu# certbot --version
I have two domains namely x.com and y,com, test.x.com is pointed as CNAME to y.com
I want to generate wildcard cert for y.com using x.com , reason behind this approach being y.com being production domain and do not want too many modifications on y.com
To generate a certificate for *.y.com the machine that has to respond to the verification has to be the one that is pointed to by y.com. Unless you temporarily point y.com. to the machine that is servicing x.com, the machine that is servicing x.com can't be issued the *.y.com certificate.
There might be ways to automate what you want to do, but it would be tricky and would depend on setting the ttl for your domains to zero and messing about with your zone files in scripts in a coordinated way. Not something I would want to do on a production server. It would be far less invasive to put the certificate renewal infrastructure on the machine servicing y.com to get its wildcard certificate renewed.
Think of what you are asking. It is no different than if I point itsminetrustme.mypersonaldomain.com as a CNAME to google.com and saying, ok, please give me a wildcard certificate for *.google.com. See, I have a CNAME pointing to google.com so it must belong to me.
Thanks for the response. I was thinking more on the lines of SAN names.
Can I use SANs if I have to include more than one domain? ( and not use CNAMEs)
How does authentication of DNS happens if we use SAN
Actually, I was incorrect. I am thinking of http01 challenge verification, and that isn't used for wildcards.
For wildcards you will be using DNS verification. Where is the DNS server for the y.com domain?
Both are under same organisation, in aws route 53
You still can't use a CNAME to verify your domain. You need DNS access to y.com. The requirements are to add a TXT record to that domain. You should understand DNS and TXT records in general.
Text records: TXT record - Wikipedia
Lets Encrypt and DNS challenges: Challenge Types - Let's Encrypt
And a howto on automating it: https://www.heelpbook.net/2021/getting-lets-encrypt-certificate-using-dns-01-challenge-with-acme-dns-certbot-joohoi-or-acme-sh/
If you want to get a certificate covering both
*.y.example, then you need to have your software create TXT records for
_acme-challenge.y.example. Whether the base
x.example is a CNAME or not isn't really relevant.
Where a CNAME comes in handy, is that if your programmatic system doesn't have access to
.y.example but you still can create manual records for it, but you do have programmatic access to the
.x.example zone, then you could create a CNAME record for
_acme-challenge.y.example to point to something like
y-acme-challenge.x.example. Then your ACME client only needs to edit records in the
x.example zone in order to get the certificate. I think that's what you're saying you're trying to do, but I may not quite be following what you're saying.
Not every client makes it particularly easy to configure having it updating the names that way (since you need to tell it that when the server asks them to make a record for
_acme-challenge.y.example they actually need to make the record for
y-acme-challenge.x.example. In particular, I'm not sure if certbot has that ability, so you might need to try some other client with Route 53 access. I've heard good things about
acme.sh having this kind of flexibility (see DNS alias mode) but I've not used it myself, and you may want to explore the full client list.
- have two domains
- want to generate wildcard cert for
y.com is production domain and do not want too many modifications on
Firstly, a certificate for
y.com would only work for
y.com is not a redirect to
Secondly, using a CNAME from
y.com would only allow delegation of obtaining a wildcard certificate for
y.com, not the other way around. If you want to delegate getting a certificate for
test.x.com, you would need the CNAME to be in the DNS for
y.com pointing to
Remove the CNAME in the
x.com DNS that points to
Add this CNAME in the
_acme-challenge.y.com CNAME test.x.com
- Proceed with obtaining a
*.y.com wildcard certificate by adding TXT records to
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.