Wildcard SSL certificate with auto-renew

Help
1

Hello

I'm about to launch a project on a VPS, but getting the SSL to work is a real stumbling stone...
This is the situation:
I have a platform with the domain example.com. On that platform a unlimited amount of business can register themselves, after validation a business gets their own page on a subdomain.
So:
business1.example.com
businnes2.example.com
business3.example.com
...

Those subdomains are not registered in the DNS-records. My platform code just interprets the URL as a string, takes the subdomain part, and see if that subdomain is linked to a business by looking for it in a database-table. If there is a business with that subdomain registered, a HTML template-page with the data of that business is returned. If not, I return 404.

Extra difficulty: It's a Rust/Actix project using port 8080 to serve the web-application. So I need Nginx to make a reverse proxy which listens to the ports 80 and 443 and redirect it to localhost:8080. The operating system is Debian.

Now that you understand how my platform works, I need to know how to configure SSL for it somehow. I called my VPS provider and they said they can configure it, but that could get expensive. So I want to save some costs by trying it myself first, and I think it's interesting and good to learn.

These are the steps I'd take to

  • configure SSL
  • with a wildcard for every possible subdomain (subdomain is NOT known at time of configuration)
  • with Auto renew.

It seems that Certbot seems easy to use, looking at the documentation.
However, I don't think my VPS provider is supported by Cerbot out of the box.

This means I need to verify my DNS manually.

I'd just start by following the certbot instructions until I get to step 9 which is "Install correct DNS plugin". Instead of installing a DNS plugin I'd follow the steps to verify my DNS manually.

I'd make the required DNS record and do the DNS challenge.

Then I'd make a cronjob to run certbot renew every 90 days.

Questions:

  • Are these steps the correct way to do it?
  • Because I have an unlimited amount of possible subdomains, won't that give a problem for validation the DNS? I hope I don't have to validate each subdomain but can just use a wildcard?
  • My VPS provider said something about a custom Acme.sh API to alter DNS records. Whats up with that?

Any help would be greatly appreciated! Thanks!!

2

Well, in order to automate the DNS-01 challenge needed for a wildcard cert, your DNS provider needs to have a plugin for the client (such as Certbot) that you're using. But your DNS provider doesn't necessarily need to be the same company as your VPS provider. And even if your DNS provider doesn't have an API, you could delegate the challenge record to a system that does with something like acme-dns or agnos.

Well, if you're doing validation manually, then you'd need to renew the certificate manually doing the same steps every few months. I'd highly recommend finding a way to automate everything instead, though.

If you can validate example.com with DNS-01, then the wildcard cert for *.example.com covers all the subdomains, yes.

It may be that their DNS server has an API with a plugin for acme.sh but nobody has written a plugin for it for certbot. There are many ACME clients that you can use, of which certbot and acme.sh are two popular ones. I think there are more DNS plugins out there for acme.sh. (Note that acme.sh will use a different CA than Let's Encrypt by default, so you may want to switch its default CA if you end up choosing to use that client.)

4 Likes
3

I don't see how this can work over the Internet [without some specialized VPN or private DNS use ...].
You might do better off with:

example.com/business1/
example.com/business2/
example.com/business3/
3 Likes
4

Thanks for the answers all!

And @rg305 I'll add one DNS-record *.example.com which will function as a wildcard for all subdomains.

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.