I’ve tried to issue a wildcard certificate for hostip.dev
I ran this command:
certbot certonly --manual -d *.hostip.dev -d hostip.dev --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
When I check with openssl, It looks like a non wildcard certificate has been issued:
echo | openssl s_client -connect abcd.hostip.dev:443 2>/dev/null | grep hostip.dev
0 s:CN = hostip.dev
subject=CN = hostip.dev
I’d expect to see *.hostip.dev if the certificate was a wildcard.
Additionaly as you would expect, curl does not recognise the certificate as valid for a random subdomain:
curl https://abcd.hostip.dev
curl: (60) SSL: no alternative certificate subject name matches target host name ‘abcd.hostip.dev’
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Heres the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: service.hostip.dev
Domains: service.hostip.dev hostip.dev
Expiry Date: 2020-08-16 09:06:08+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/service.hostip.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/service.hostip.dev/privkey.pem
This same certificate keeps getting issued to me, even if I purge certbot, delete /etc/letsencrypt (Ubuntu 20.04, apt-get purge certbot) then reinstall it.
Actually what you might find is Netlify requested a letsencrypt wildcard certificate on my behalf. However, they have no export function (at least none I could find from googling). I set up Netlify back in April.
I only intended the Netlify certificate to be for my static website (https://hostip.dev)
Now I'd like to use other subdomains for my back end APIs, so I'm trying to get my own wildcard certificate that I can use for multiple subdomains and plug into my nginx server.
If there's a file or directory named service.hostip.dev in the current directory, your shell will expand *.hostip.dev to service.hostip.dev. Quote or escape it to prevent that.
Don't issue too many duplicate certificates.
Ah. Sure, that makes sense. For what it's worth, unless you have tons of subdomains, you don't really need a wildcard certificate. Often just listing all of the names works fine.
This was the problem. I had my API code in my home folder under that name. So I quoted the host, which got me a valid wildcard certificate.
I'm planning to allow people (via a new tool I'm building) to serve websites from localhost under custom/randomly generated subdomains, so in my case there probably will be alot of subdomains over time, most of them I won't know about in advance.
For what it's worth, unless you have tons of subdomains, you don't really need a wildcard certificate. Often just listing all of the names works fine.