Want to generate wildcard cert using cname

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Example details
My domain is: test1.com

I ran this command:

It produced this output:

My web server is (include version): nginx but cert only

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
root@www:/home/ubuntu# certbot --version
certbot 0.27.0
root@www:/home/ubuntu#

I have two domains namely x.com and y,com, test.x.com is pointed as CNAME to y.com
I want to generate wildcard cert for y.com using x.com , reason behind this approach being y.com being production domain and do not want too many modifications on y.com

To generate a certificate for *.y.com the machine that has to respond to the verification has to be the one that is pointed to by y.com. Unless you temporarily point y.com. to the machine that is servicing x.com, the machine that is servicing x.com can't be issued the *.y.com certificate.

There might be ways to automate what you want to do, but it would be tricky and would depend on setting the ttl for your domains to zero and messing about with your zone files in scripts in a coordinated way. Not something I would want to do on a production server. It would be far less invasive to put the certificate renewal infrastructure on the machine servicing y.com to get its wildcard certificate renewed.

Think of what you are asking. It is no different than if I point itsminetrustme.mypersonaldomain.com as a CNAME to google.com and saying, ok, please give me a wildcard certificate for *.google.com. See, I have a CNAME pointing to google.com so it must belong to me.

1 Like

Hi,
Thanks for the response. I was thinking more on the lines of SAN names.
Can I use SANs if I have to include more than one domain? ( and not use CNAMEs)

How does authentication of DNS happens if we use SAN

Thanks,
Suresh

Actually, I was incorrect. I am thinking of http01 challenge verification, and that isn't used for wildcards.

For wildcards you will be using DNS verification. Where is the DNS server for the y.com domain?

1 Like

Both are under same organisation, in aws route 53

You still can't use a CNAME to verify your domain. You need DNS access to y.com. The requirements are to add a TXT record to that domain. You should understand DNS and TXT records in general.

Text records: TXT record - Wikipedia
Lets Encrypt and DNS challenges: Challenge Types - Let's Encrypt
And a howto on automating it: https://www.heelpbook.net/2021/getting-lets-encrypt-certificate-using-dns-01-challenge-with-acme-dns-certbot-joohoi-or-acme-sh/

If you want to get a certificate covering both *.x.example and *.y.example, then you need to have your software create TXT records for _acme-challenge.x.example and _acme-challenge.y.example. Whether the base x.example is a CNAME or not isn't really relevant.

Where a CNAME comes in handy, is that if your programmatic system doesn't have access to .y.example but you still can create manual records for it, but you do have programmatic access to the .x.example zone, then you could create a CNAME record for _acme-challenge.y.example to point to something like y-acme-challenge.x.example. Then your ACME client only needs to edit records in the x.example zone in order to get the certificate. I think that's what you're saying you're trying to do, but I may not quite be following what you're saying.

Not every client makes it particularly easy to configure having it updating the names that way (since you need to tell it that when the server asks them to make a record for _acme-challenge.y.example they actually need to make the record for y-acme-challenge.x.example. In particular, I'm not sure if certbot has that ability, so you might need to try some other client with Route 53 access. I've heard good things about acme.sh having this kind of flexibility (see DNS alias mode) but I've not used it myself, and you may want to explore the full client list.

3 Likes
  • have two domains x.com and y.com
  • test.x.com CNAME y.com
  • want to generate wildcard cert for y.com using x.com
  • y.com is production domain and do not want too many modifications on y.com

Firstly, a certificate for y.com would only work for y.com, not test.x.com, because test.x.com CNAME y.com is not a redirect to y.com.

Secondly, using a CNAME from x.com to y.com would only allow delegation of obtaining a wildcard certificate for x.com to y.com, not the other way around. If you want to delegate getting a certificate for y.com to test.x.com, you would need the CNAME to be in the DNS for y.com pointing to test.x.com.

So...

  1. Remove the CNAME in the x.com DNS that points to y.com

  2. Add this CNAME in the y.com DNS:

_acme-challenge.y.com CNAME test.x.com

  1. Proceed with obtaining a *.y.com wildcard certificate by adding TXT records to test.x.com
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.