Wildcard certificate

I have two subdomains: cloud.nicoll.ac.nz and media.nicoll.ac.nz. I have A records for each of these plus the domain nicoll.ac.nz
I have set up a reverse proxy server (apache2) for authentication purposes mainly. The proxy mediates each subdomain. These two are on separate physical servers. I want a certificate for each of the two subdomains but as they are on the same public IP, is that possible? I heard letsencrypt issued wildcard certs. Is there help or documentation for this? I already have a letsencrypt cert for media.nicoll.ac.nz. If I get a wildcard cert, would I revoke the cert for media.nicoll.ac.nz? By the way, Letsencrypt is GREAT

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: .nicoll.ac.nz

I ran this command: not applicable

It produced this output: not applicable

My web server is (include version): apache2 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0


That won't be necessary.
Revoking is only for when their has been a private key compromise.
You can simply delete the cert and key and it will expire soon enough.

Please note: Wildcard certs are more difficult to obtain then regular certs.
Because they require DNS-01 authentication, as opposed to the simpler HTTP-01 authentication.
Which, for full automation will require both, an ACME client capable of handling the DNS challenges and a DNS Service Provider (DSP) that supports DNS zone updates via API calls.

Is a wildcard certificate actually necessary? If you're using just those two hostnames, why not get a single certificate on your reverse proxy for nicoll.ac.nz, cloud.nicoll.ac.nz and media.nicoll.ac.nz?

Thanks rg305.
My ISP allows unlimited edits of DNS records which I can do via an ISP provided interface. I read that a wildcard cert requires adding extra TXT entries. Does this make sense? If so, I'm pretty sure I can do that. I don't know what an ACME client is or what 'via API calls' means.

1 Like

Thanks Osiris.
I'm not sure if a wildcard is necessary as I am new to reverse proxy and vhosts. I already have a letsencrypt certificate for media. Paths are provided to that certificate in the virtual host file for that server and, listening on port 443, it seems to authenticate clients without difficulty when the URL they use is https://media.nicoll.ac.nz. Is it as simple as (when I set up the cloud virtual host file) to get the same sort of certificate for cloud.nicoll.ac.nz? If so, problem solved as long as a client using https://cloud.nicoll.ac.nz won't get an error such as 'the certificate is for media' or vice versa. I read that only wildcards work for my setup, i.e., only one public IP, but it was in a book (O'Reilly) 'Apache Cookbook' but I only discovered after buying it that it is very out of date.

1 Like

The piece you've been reading might have trying to say that you require one certificate for all hostnames on that single public IP address. But that was before Server Name Indication (SNI) was invented. SNI makes it possible for webservers with just one IP address to select the appropriate certificate out of many configured.

In any case, even without SNI a wildcard certificate is not necessary. With a limited amount of hostnames you can easily add all those hostnames into the SAN field of the certificate.

Certbot can do all those things quite easily.

1 Like

This is a great relief! I will look into how I add the hostnames (only two likely at the moment) into the SAN field of the certificate. I will have a good look at the man page/README of letsencrypt. You have been very helpful. I'm off now to donate!

Note that Let's Encrypt accepts up to 100 hostnames in a single certificate :wink:

1 Like

Having to manually add/remove DNS entries (every 60-90 days) doesn't allow for automation.
So, it doesn't make sense to me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.