Wild card cert first ssl

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
dear all i need to install ssl for the myserver let’s say name is temp.example.com
and i use wild card also domain name from godaddy what the right command should i use
to get cerf for this domain and all subdomain from it

2

up still waiting for support

3

This support is mostely run by volunteers. You’ve waited a whole hour. Also, your post isn’t really that helpful: none of the questions which are required to receive help have been answered.

Therefore, I’m enclined to guess there’s a few more hours to wait until someone has patience enough to help you with your very concise question.

In the mean while, you might be interested in the following document: https://letsencrypt.org/getting-started/

4

i already run sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d temp.mydomain.com -d *.temp.mydomain.com --manual --preferred-challenges dns-01 certonly
i got txt to add in dns i do use godaddy get domain name and dns
so should i add txt record for every subdomain so what is the benefit of wildcard

5

Yes, currently (and I don't know if that's going to change) Let's Encrypt or certbot can't "mix" challenges. So if you need the dns-01 challenge for a wildcard certificate, then all hostnames must be validated by the dns-01 challenges. And for every hostname a separate TXT record is required.

The wildcard certificate is beneficial for the management of multiple domains in your webserver. With a wildcard certificate, you can make use of thousands of different labels without the need of getting a new certificate for every new hostname.

So if you have a certificate with *.example.com for just www.example.com, but you need a new website foo.example.com and perhaps later also bar.example.com, you can just use that single wildcard certificate for all those hostnames. Note: the wildcard hostname *.example.com would not cover foo.temp.example.com, as the wildcard is only valid for a single DNS label. You'd need the wildcard hostname *.temp.example.com for hostnames like foo.temp.example.com and bar.temp.example.com. Note 2: the wildcard hostname is also not valid for the "base" hostname example.com, so like you did correctly, you'd need to add *.example.com and example.com to the same certificate, requiring two TXT records indeed.

6

Letsencrypt allows mixed challenges, Certbot can't use that.

My *.server-daten.de + server-daten.de certificate is created that way: *.server-daten.de via dns validation, server-daten.de via http validation.

--

Created a test certificate:

The wildcard validation:

{
  "identifier": {
    "type": "dns",
    "value": "server-daten.de"
  },
  "status": "valid",
  "expires": "2020-05-27T16:27:49Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/52000447/OJL95w",
      "token": "ku6-U0WvyYmGers3gfQLus3AuXjD2anOqYGTMaPXjtQ",
      "validationRecord": [
        {
          "hostname": "server-daten.de"
        }
      ]
    }
  ],
  "wildcard": true
}

The main domain validation via http:

{
  "identifier": {
    "type": "dns",
    "value": "server-daten.de"
  },
  "status": "valid",
  "expires": "2020-05-27T16:27:50Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/52000448/axzYOw",
      "token": "Z-vPE51hhgQlg9t3NjTPYQU-LE9voXszfnpZ2BQgsU8",
      "validationRecord": [
        {
          "url": "http://server-daten.de/.well-known/acme-challenge/Z-vPE51hhgQlg9t3NjTPYQU-LE9voXszfnpZ2BQgsU8",
          "hostname": "server-daten.de",
          "port": "80",
          "addressesResolved": [
            "85.215.2.226",
            "2a01:238:301b::1226"
          ],
          "addressUsed": "2a01:238:301b::1226"
        }
      ]
    }
  ]
}

If a client supports that, only one TXT entry is required.

7

Good to know it’s indeed a certbot limitation, not an ACME/Let’s Encrypt limitation.

2 Likes
8

related to that so can i have wildcard cert for subdomain and all subdomains from it
without txt record by using Let’s Encrypt

9

Using a TXT record is a policy requirement from the Let’s Encrypt CA in order to get a wildcard certificate. There is no way to get a Let’s Encrypt wildcard certificate without using the DNS-01 method (creating a TXT record in your DNS zone).

10

What do you mean by "every subdomain"? If you tried to get that certificate, you would have to set two TXT records.

11

yes i got it thanks for every subdomain and main one i will have txt record to be added

12

thanks alot for your support

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.