A san cert for the following works (I used to have one like the following)
*.sub1.domain1.com
*.sub2.domain1.com
*.domain1.com
domain1.com
*.sub1.domain2.com
*.sub2.domain2.com
*.domain2.com
domain2.com
So, it can do multiple domains and do multiple wildcards in the cert but it cannot do one like the following.
*.*.domain1.com
I can provide the cert if you'd like proof
edit: blockquotes
1 Like
jsha
July 7, 2017, 7:04pm
44
Yep, this will work the same was as domainA.com
and domainB.com
in the same certificate works today.
Yep.
Eventually, yes. We still need to do the implementation work. For now, if you want to try out the v2 API, you can try our testbed server, Pebble .
1 Like
akaro
July 8, 2017, 1:43am
45
yes, please at first for 180 days. hopefuully !!
Iâm in no way related to Letâs Encrypt, but I believe the 90-day expiration was a very deliberate decision, and I wouldnât expect it to change. I feel your pain, Iâm stuck maintaining a cert on GoDaddy shared hosting for a nonprofit I support. This means I have to paste the cert into cPanel every few months because GoDaddy shared hosting doesnât support automated renewals. Itâs somewhat unpleasant, but even so, I appreciate the 90-day validity period. Maintaining that quarterly is a really small price to pay.
2 Likes
schoen
July 8, 2017, 6:23pm
47
There is a very long thread about the certificate lifetime issue, starting back in 2015.
Please take any discussions about that aspect over to that thread.
3 Likes
Oh hot damn! Thatâs great news, great great great news in Letâs Encrypt secure socket layer developments!
schoen
July 12, 2017, 10:54pm
49
Glad youâre excited about them! By next year, maybe we can think of them as transport layer security developments.
Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting pre-existing network applications with security measures.
4 Likes
Nothing but the best for a faster, more secure world wide web!
this actually adds more work
if you choose a random subdomain you still have to create a DNS record for it so it can point to a web server to pass the HTTP challenge
so if you are going to update the DNS wouldnât it be easier to do it once?
Andrei
this was discussed earlier on in the chain
BFeely
July 16, 2017, 2:08am
53
Will ECDSA certificates be supported in wildcard at launch too?
Also, is there any word about launching a full EC CA?
You can get EC Certificates from Letâs Encrypt currently
Are you talking about an EC Intermediate?
Andrei
BFeely
July 16, 2017, 2:26am
55
First question is whether EC certificate support will continue with wildcard support.
Second question is in fact when EC intermediate/root will be rolled out.
pfg
July 16, 2017, 1:23pm
56
ECDSA support is unrelated to wildcard issuance. There is no reason why wildcards would be limited to RSA.
Dedicated ECDSA roots and intermediates are scheduled for âBefore September 1, 2017â, according to the Upcoming Features page .
1 Like
Of course, DNS CAA issuewild will be respected, right?
You create a wildcard DNS entry once, then use that to do whatever HTTP validation.
In a lot of contexts (e.g., shared web hosting) itâs much easier to manipulate a web server than DNS.
BFeely
July 18, 2017, 7:39am
59
I see no reason why it shouldnât as CAA operates at the domain name level, at the same level as all your other DNS records.
Reading through the thread, will SAN be supported?
Although itâs often mistakenly thought of as an alias actually SANs (Subject Alternative Names) are a mandatory feature of all modern certificates in the Web PKI. So yes, as far as Letâs Encrypt is concerned a wildcard is just another SAN dnsName it will add to your cert if you prove control over the name and you will be able to have up to 100 of them in a cert or mix and match with ordinary fully qualified domain names.
1 Like
cpu
Split this topic
August 9, 2017, 1:11pm
62
A post was split to a new topic: ACME v2 Beta Access?