Wildcard certificates and HTTP challenge

Today, to obtain a wildcard certificate it is necessary to use the DNS challenge because it is necessary to prove that you are the owner of the main domain and all the possible domains covered by the wildcard certificate. However, the DNS challenge cannot be easily automated.
I would like to propose an alternative and understand if it is feasible.
In the case of a Wildcard and HTTP challenge, Let’s Encrypt may ask to check N + 1 domains, N random and 1 the main one. For example if N were 3 and I wanted to get a wildcard certificate for the domain example.ext, Let’s Encrypt could ask me to verify these domains:

the random nature of the domains and the number of required domains should actually guarantee the generation of the certificate.


It often can be. It depends on your DNS service.

Even when it's difficult to set up, it's usually easy enough to use after that.

1 Like

Hi @maxmayer

there are some older topics with the same idea:

So I don't think Letsencrypt will change that.

With many DNS hosts (acme.sh supports over 50 at last count), it's very easy indeed to automate. With other DNS hosts, acme-dns remains an option. Initial setup takes a bit of doing, but (as @mnordhoff says) once set up, ongoing usage is quite simple.

If you think of a generic service that allows users to enter their domains, it becomes really difficult to use the DNS challenge because you should ask all users to use a DNS with APIs that the service recognizes or to configure an interface for the challenge. For personal use it makes sense, but in this scenario it is very difficult to use the DNS challenge.

In more complex scenarios it is very difficult to impose DNS servers with APIs.

Thanks for the links to the other topics.

In more complex scenarios it can be worth the time to set up acme-dns. For example, if you're hosting sites for customers who control their own DNS, you can operate your own acme-dns server and tell them what CNAME records they need to create up-front. Those won't change; they only need to be set once. You can then handle the validation using your acme-dns instance.

I doubt Let's Encrypt is going to change their position on this, though I'm not at all involved with that decision. But if you can lay out the "more complex scenarios" you have in mind, we may be able to come up with an alternative method.

In a complex scenario you have many users who decide to set up a domain / subdomain to use with your service. It is very likely that they will not want to change the DNS servers as they can have a separate and independent management. So the idea of creating a custom DNS server for Let’s Encrypt certificates does not completely solve the problem, many users will continue to use their DNS servers. In any case, with renewals, the DNS record for the challenge must be changed, so automatic renewal is not feasible because it would require user intervention in any case. If instead you manage the domain for the user, the HTTP challenge is much easier to manage because the user changes the specific DNS to make the domain be managed by your servers. This is the most generic and at the same time the most complex scenario.

That's not a problem, that's my situation.

I have a web database service (the "check-your-website" is one subdomain). If a customer wants to use the web database with his own domain name, he creates a subdomain

special-subdomain.customerdomain.de -> CNAME server-daten.de

then I am able to create a certificate with that domain name.

There is no wildcard required -> http validation is enough.

And I can only create a certificate with this domain name, not with the main domain name of that customer.

1 Like

...and they don't need to in the scenario I'm proposing. Suppose you're Guugle and running a Guugle Apps instance for your customer at apps.theirdomain.com. They already set up a DNS CNAME record of apps.theirdomain.com CNAME apps.yourdomain.com, which they have to do for you to host that subdomain. Then they'd set a second record of _acme-challenge.apps.theirdomain.com CNAME 32f5274d-51e3-466d-bf38-eb9980e7bcf3.auth.yourdomain.com (with you generating the UUID and giving it to them). Your acme-dns instance handles the rest.

They are specific, not general cases.

Not always a web server serves ALL subdomains.
This accident may fall into the subdomains mail pop3 imap smtp and others that do not have their own virtual host on the web server.

Why not create a CAA or TXT record that the domain administrator has allowed * a certificate to be issued to someone who confirms ownership of this or that subdomain or domain (@).

When creating a wildcard using the http-01 method, le turns to the DNS and reads a specific CAA or TXT record where it is reported, which subdomain or subdomains must be owned in order to register a wildcard certificate.

If the record is not found or not specified, then le refuses to register using the http-01 method.

Everything is simple, clear and predictable and safe.

Why can’t you just do it like this?

I’m not looking for a solution, I’m just suggesting a possible alternative.

Automation is, as others described, tricky - depending on your DNS provider. If you have full control over your infra, and wants something fun to do, it is not rocket science.

I was able to automate the entire process, including the usage of custom private keys, while requesting both RSA and EC certificates, interfacing with a BIND server (hint: rndc), clearing up TLSA DNS entries for DANE verification, touching web and email servers (both SMTP and IMAP), and many external systems sharing the same wildcard, from routers and switches and wireless controllers, to a multitude of other third party tools.

The only actions I need to take is to read the notification email the new certificates were deployed and plan the power cycle the equipment that cannot change the certificate on the fly.

So yes, you might feel it is complex. That’s why some of us like it.

Honestly speaking, it is the first time I post on this community, but I can’t say that I was positively impressed, quite the contrary. As I have already explained my (good) intentions were to suggest a possible improvement (the post is classified as “Feature Requests”), not to have solutions. I thank everyone for the answers, always appreciated, but they are almost all decidedly off-topic.

And what did you expect? That was requested many times now and with the same and better arguments than yours. The LE stuff explained in older threads why this will not be supported, so would you have preferred that a mod writes no and closes the thread?

Here I perceived a fundamental problem, if I make a proposal it is because I think I can contribute to improving something that I think is worth spending my time, not for other reasons. What did I expect? A discussion focused on the proposal (it’s always a “Feature requests”, not a “Help”), but what did I get? Information I know, things I’ve already implemented and explored. In short, in the end I believe my contribution is useless for this community.

Thank you all for taking the time to respond.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.