Wild Card Domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I would like to set up a single certificate for my entire domain
bios-living.com that works for all the hosts on that name (admin.bios-living.com www.bios-living.com mail.bios-living.com etc)

This is running on a non-standard gnu/linux system with a manula build for apache, and bind. I run bind and apache
aps:/usr/local/apache2/htdocs # …/bin/httpd -v
Server version: Apache/2.4.41 (Unix)
Server built: Jan 7 2020 05:36:04

BIND 9.9.6

Documentation say to use docker, and I don’t understand why. I am sure this have been asked dozens of times, but this documentation is just to thin and it leaves me confused.

1 Like

If Certbot’s RFC2136 plugin is not packaged for your environment (which is why the Docker suggestion is made), you could try using the RFC2136/nsupdate functionality built into acme.sh: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert

It should work in any reasonable Linux environment.

1 Like

your suggesting using acme.sh instead of certbot? Why? What does it matter if I am using it in docker or not? If it works in docker it will work in the normal environment

I just really need a simple HowTo to do the *domains, even if I use bind… if it exists. I don’t need docker.

Well, the how-to for Certbot’s RFC2136 plugin is here: https://certbot-dns-rfc2136.readthedocs.io/en/latest/

If certbot and certbot-dns-rfc2136 is packaged for your Linux distribution, then just install them from its repositories. In that case, you don’t need to use Docker, and you can then follow the above link exactly.

If the Certbot website suggests running Certbot via Docker, it’s because it thinks that the DNS plugins are not packaged for your Linux distribution.

For example, have a look at the instructions for Debian Buster (stable). There is no mention of Docker, you can install the DNS plugins directly from Debian Buster’s repositories.

On the other hand, if you select e.g. “Other UNIX”, the website has no idea whether the DNS plugins are packaged for your operating system or not, so the portable fallback it provides is using the Docker images.

I hope that helps unravel why Docker is suggested.

1 Like

It does somewhat accept that Docker doesn’t work on other unix? It is not going to work on AIX or HPUNX, BSD etc. Does it work with GUIX even? I hear you though. But why not just download the DNS plugin by source?

I’m not here to defend the choices of the Certbot project, but yes, you can do that if you like.

It’s discouraged for regular users probably because pip install or python setup.py install outside of a virtual environment is a footgun, and anybody who isn’t a Python developer isn’t going to know it.


the instructions say to use dnssec-keygen with -a HMAC-SHA512 which doesn’t exist in bind 9.16.2

can I use a different allgorithm ? I have choices :slight_smile:

-a algorithm
Selects the cryptographic algorithm. For DNSSEC keys, the value of
algorithm must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying his value
will automatically set the -T KEY option as well.

   These values are case insensitive. In some cases, abbreviations are
   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
   ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option,
   then NSEC3RSASHA1 will be used instead.

   This parameter must be specified except when using the -S option,
   which copies the algorithm from the predecessor key.

   In prior releases, HMAC algorithms could be generated for use as
   TSIG keys, but that feature has been removed as of BIND 9.13.0. Use
   tsig-keygen to generate TSIG keys.
1 Like

Yeah, I noticed the same last time I did it. But the solution is mentioned in the doc you posted:

Replace dnssec-keygen with tsig-keygen and the rest is the same.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.