Wild card cert first ssl

ahmed.aly4 · April 27, 2020, 2:50pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
dear all i need to install ssl for the myserver let’s say name is temp.example.com
and i use wild card also domain name from godaddy what the right command should i use
to get cerf for this domain and all subdomain from it

ahmed.aly4 · April 27, 2020, 3:35pm

up still waiting for support

Osiris · April 27, 2020, 3:44pm

This support is mostely run by volunteers. You’ve waited a whole hour. Also, your post isn’t really that helpful: none of the questions which are required to receive help have been answered.

Therefore, I’m enclined to guess there’s a few more hours to wait until someone has patience enough to help you with your very concise question.

In the mean while, you might be interested in the following document: https://letsencrypt.org/getting-started/

ahmed.aly4 · April 27, 2020, 4:03pm

i already run sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d temp.mydomain.com -d *.temp.mydomain.com --manual --preferred-challenges dns-01 certonly
i got txt to add in dns i do use godaddy get domain name and dns
so should i add txt record for every subdomain so what is the benefit of wildcard

Osiris · April 27, 2020, 4:53pm

Yes, currently (and I don’t know if that’s going to change) ~~Let’s Encrypt or~~ certbot can’t “mix” challenges. So if you need the dns-01 challenge for a wildcard certificate, then all hostnames must be validated by the dns-01 challenges. And for every hostname a separate TXT record is required.

The wildcard certificate is beneficial for the management of multiple domains in your webserver. With a wildcard certificate, you can make use of thousands of different labels without the need of getting a new certificate for every new hostname.

So if you have a certificate with *.example.com for just www.example.com, but you need a new website foo.example.com and perhaps later also bar.example.com, you can just use that single wildcard certificate for all those hostnames. Note: the wildcard hostname *.example.com would not cover foo.temp.example.com, as the wildcard is only valid for a single DNS label. You’d need the wildcard hostname *.temp.example.com for hostnames like foo.temp.example.com and bar.temp.example.com. Note 2: the wildcard hostname is also not valid for the “base” hostname example.com, so like you did correctly, you’d need to add *.example.com and example.com to the same certificate, requiring two TXT records indeed.

JuergenAuer · April 27, 2020, 4:33pm

Letsencrypt allows mixed challenges, Certbot can’t use that.

My *.server-daten.de + server-daten.de certificate is created that way: *.server-daten.de via dns validation, server-daten.de via http validation.

–

Created a test certificate:

The wildcard validation:

{
  "identifier": {
    "type": "dns",
    "value": "server-daten.de"
  },
  "status": "valid",
  "expires": "2020-05-27T16:27:49Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/52000447/OJL95w",
      "token": "ku6-U0WvyYmGers3gfQLus3AuXjD2anOqYGTMaPXjtQ",
      "validationRecord": [
        {
          "hostname": "server-daten.de"
        }
      ]
    }
  ],
  "wildcard": true
}

The main domain validation via http:

{
  "identifier": {
    "type": "dns",
    "value": "server-daten.de"
  },
  "status": "valid",
  "expires": "2020-05-27T16:27:50Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/52000448/axzYOw",
      "token": "Z-vPE51hhgQlg9t3NjTPYQU-LE9voXszfnpZ2BQgsU8",
      "validationRecord": [
        {
          "url": "http://server-daten.de/.well-known/acme-challenge/Z-vPE51hhgQlg9t3NjTPYQU-LE9voXszfnpZ2BQgsU8",
          "hostname": "server-daten.de",
          "port": "80",
          "addressesResolved": [
            "85.215.2.226",
            "2a01:238:301b::1226"
          ],
          "addressUsed": "2a01:238:301b::1226"
        }
      ]
    }
  ]
}

If a client supports that, only one TXT entry is required.

Osiris · April 27, 2020, 4:51pm

Good to know it’s indeed a certbot limitation, not an ACME/Let’s Encrypt limitation.

ahmed.aly4 · April 27, 2020, 10:24pm

related to that so can i have wildcard cert for subdomain and all subdomains from it
without txt record by using Let’s Encrypt

schoen · April 28, 2020, 1:28am

Using a TXT record is a policy requirement from the Let’s Encrypt CA in order to get a wildcard certificate. There is no way to get a Let’s Encrypt wildcard certificate without using the DNS-01 method (creating a TXT record in your DNS zone).

mnordhoff · April 28, 2020, 4:11am

What do you mean by “every subdomain”? If you tried to get that certificate, you would have to set two TXT records.

ahmed.aly4 · April 28, 2020, 8:24pm

yes i got it thanks for every subdomain and main one i will have txt record to be added

ahmed.aly4 · April 28, 2020, 8:24pm

thanks alot for your support

system · May 28, 2020, 8:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.