Wildcard certificates - DNS zone file

Help
1

Does LE support wildcard certificates?
As a prerequisite I understand that I need a specially crafted zone file to allow this.

$ORIGIN mydomain.org.
$TTL 86400
; SOA Records
@               IN      SOA     ns1.first-ns.de. dns.hetzner.com. 2023060606 14400 1800 604800 86400
; NS Records
@               IN      NS      ns1.first-ns.de.
@               IN      NS      robotns2.second-ns.de.
@               IN      NS      robotns3.second-ns.com.
; MX Records
@               IN      MX      10 mail
; A Records
@               IN      A       123.203.111.43
localhost               IN      A       127.0.0.1
mail            IN      A       123.203.111.43
www             IN      A       123.203.111.43
; CNAME Records
cms             IN      CNAME   www
ftp             IN      CNAME   www
imap            IN      CNAME   www
loopback                IN      CNAME   localhost
msg             IN      CNAME   www
pop             IN      CNAME   www
relay           IN      CNAME   www
smtp            IN      CNAME   www
; TXT Records
@               IN      TXT     "v=spf1 mx ip4:123.203.111.43 ~all"

How would this zone file have to be modified to support wildcard domains?
Do I have to specify any host that I'm about to support or can I just rely that
an arbitrary hostname like

foo.mydomain.org
bar.mydomain.org 
typo.mydomain.org

will be served?

2

Itʼs a bit more involved. Have a look at this articleʼs description of DNS-01 challenge type and let us know if something is not quite clear in it:

4 Likes
3

If your question is how to configure a zone with a wildcard record, you should ask this in another forum, like Server Fault.

For creating a wildcard certificate, it's doesn't really matter how your zone looks. You can use a plugin like certbot-dns-hetzner or certbot-dns-multi to create the certificate (assuming Hetzner is your domain's DNS host).

8 Likes
4

Yes.

Not exactly...
Where did you read/learn this?

5 Likes
5

To get issue certificates containing wildcard domain names one needs to use the DNS-01 challenge of the Challenge Types - Let's Encrypt.
DNS providers who easily integrate with Let's Encrypt DNS validation

1 Like
6

For creating a wildcard certificate, it's doesn't really matter how your zone looks. You can use a plugin like certbot-dns-hetzner or certbot-dns-multi to create the certificate (assuming Hetzner is your domain's DNS host).

When I already have a multi domain LE cert containing some distinct domain names plus a bunch of other domainnames, like

mydomain.org
www.mydomain.org
imap.mydomain.org
someother1-domain.net
someother2-domain.net

that means that I first have to delete that MD cert. Can I then combine the wildcard certs with these someother[12]-domain.net ones?

7

You don't have to delete your old certificates, at least not until you've created a new one and tested that it works.

But yes, you can mix and match any combination of wildcards and non-wildcards across different domains on a single certificate (as long as they are not redundant, i.e. you can't have imap.mydomain.org and *.mydomain.org on the same certificate, because the former is made redundant by the latter).

4 Likes
8

Check
https://si.okiefrog.org/
Look in the "howto" document for ideas and a working example

3 Likes
10

In short: Yes; You can "merge" the names onto a new cert.
[staying within the 100 SAN entry limit]
Automating it may be complicated - if the ACME client isn't able to combine different challenge types in the same order OR if more than one wildcard is used and they require distinct DNS plugins.

That said, you might be able to do the whole validation manually - but that is not recommended.
So, in each case, it depends on the ACME client/version and the DSPs in use.

Also, why do you need to only use one cert?

3 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.