Wildcard cert renewal failure

justinacolmena · 2019-02-05 19:14:58 UTC

received warning email

Hello,

Your certificate (or certificates) for the names listed below will expire in 19 days (on 25 Feb 19 16:35 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

*.colmena.biz

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

DNS-based acme challenge-response

RFC 2136

Why not just query a randomly generated subdomain to prove that the * record exists?

It’s supposed to be a cryptographic “challenge,” not a “challenge” of technical proficiency.

Otherwise, I might have to delegate a new zone such as

abejas.colmena.biz

to my own name servers and attempt the “challenge” for

*.abejas.colmena.biz

Sadly, I do not see this as a good faith challenge, and, well, in other news, I was almost gassed to death in my home last night, so I have backed off from using the wildcard for the time being.

JuergenAuer · 2019-02-05 19:22:20 UTC

Hi @justinacolmena

it’s simple: If you want a new certificate, you must proof you are the domain owner.

Every certificates expires.

Some CA send a mail with a link. Or you can use the ACME-protocol with a file (http-01) or a dns-entry (dns-01).

But a “permanent dns entry” isn’t a proof.

rg305 · 2019-02-05 20:02:08 UTC

It is actually supposed to be “automated”.

[and the details should all become irrelevant]

jmorahan · 2019-02-05 20:55:06 UTC

If that is easier for you to do, you can create a CNAME record for _acme-challenge.colmena.biz and point it at _acme-challenge.abejas.colmena.biz (assuming the DNS server responsible for colmena.biz allows you to do that) - and Let’s Encrypt will happily follow the CNAME and consider the challenge valid. The only catch is that your ACME client needs to be able to request a cert for one domain while answering the challenge for another - I’m not sure if Certbot knows how to do this (anyone?) but I know acme.sh does.

edit … ~~though I’m not sure that acme.sh supports RFC 2136 - so that might not be as useful as I thought, sorry.~~ looks like it does, though it calls it ‘nsupdate’. Obviously I’m not familiar with this stuff

justinacolmena · 2019-02-07 19:31:50 UTC

I do appreciate the technical work of EFF and while I realize it it pretty much a party line Democrat organization, the EFF and its offshoots, as well as the Democratic Party in general, really need to lose some of the outdated Confederate rebel sympathies and deep-seated ties of racism and sexism within groups such as Computer Chaos Club (CCC) and Ku Klux Klan (KKK).

Some middle ground needs ro be found between the overdone respect, civility, politeness, and servitude of the South, and the New-York- and Chicago-style “Union” mob boss carpetbagging of the Northern region of the Lower 48.

More due process of law, and less service of process under the color of law. States’ rights? Sure, the right of the people to decide some of their own affairs on a less grand scale that that of a single continent-wide or one world government.

rg305 · 2019-02-07 21:38:31 UTC

Are you running for a political office somewhere?
[grandstanding]

What does any of that have to do with any of this?
[relevance]