Wildcard subdomain on apache as well as wildcard certificate from lets encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.bithouz.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version):

~$ apache2 -v
Server version: Apache/2.4.39 (Ubuntu)
Server built:   2019-04-02T20:30:26

The operating system my web server runs on is (include version):

~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.2 LTS
Release:	18.04
Codename:	bionic

~$ uname -r
4.15.0-48-generic

My hosting provider, if applicable, is:

linode.com

I can login to a root shell on my machine (yes or no, or I donā€™t know):

Yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot): None Yed (N/A).

I have a few little questions and one bigger one if that is ok? Iā€™ve never done this before and networking is by far my weakest subject.

1: Is it possible to get a wildcard certificate with wildcard subdomain - this combination can exist?

2: How do I know if this (or any other option) is the right option for me? In other words - how do I determine what my needs are if all I know is how I want my site layout?

In my case I am needing bithouz.com, engage.bithouz.com, and develop.bithouz.com

3: A detailed, understandable how to that will literally walk me (an idiot) through the steps?

In summary, I need to be sure that wildcard subdomain+wildcard certificate is what I really want for my situation. If not, then I need to determine what complete set/s of options do fit my situation and which is best. Than, I was hoping to find a how to specific to what Iā€™m doing and hte stuff Iā€™m working with (eg: linode, ubuntu 18.04, apache, etc).

Thanks in advance for any assistance. I do appreciate it.

Jake

I have to confess that I don't quite understand what you are meaning by that. If what you want is a certificate for bithouz.com and *.bithouz.com, that is any subdomain such as foo.bithouz.com, baz.bithouz.com, engage.bithouz.com, develop.bithouz.com, and so on, yes a wildcard certificate will do that. A wildcard certificate is ideal for a developer wanting to sell personal sites under its own site. It's also better if you want to secure different IP addresses under the same domain.

OTOH if you know that you will probably not need other names that the ones you said in your post and that they are all classic subdomains (ie using SNI) on a single server, a wildcard certificate is a bit more complex than a vanilla HTTP-01 (using WEB protocol to declare each server separately)

First of all, you will not be able to use the simpler certbot.auto. You will have to either use third party software, or use a packaged certbot for your distro, using a PPA for example for Ubuntu, a 'solution' that can cause trouble sometimes.
Then you will have to interact with your DNS server. Something that may be possible - there are a lot of plugins for different provides -but you will have probably to get an API key from your provider and configure your ACME software to use it. Sometimes providers are fast and competent and can help newbies, sometimes less so.

When stuff is complex, it's difficult to get both at the same time....if the how to is easy to understand for a non specialist, that's because it skips the bad stuff.

1 Like

Hi @jfines

first you should read the basics.

and the FAQ.

Then check the challenge types:

If you have only three domains, a wildcard is a little bit too big. @gpatel-fr has listet some limitations.

If you know these things, then select a client.

What is a Wildcard DNS record?

A wildcard DNS record is a record that answers DNS requests for subdomains you havenā€™t already defined. You can create them for A records and CNAME records by entering an asterisk (*) in the host field.

So a wildcard subdomain in dns is not the same as a wildcard certificate. Hence the question to combine them.

There is also a component to configure in apache for wildcard subdomains to work.

So configuring Apache and DNS records to have wildcard domain names served up is one thing. Then thereā€™s the wildcard certification (ie: letsencrypt in my case).

My question was kinda 2 parts (considering everything included in the question)ā€¦

1: Is the combination possible?
2: How to perform it using letsencrypt and the rest of my existing toolchin?

Thanks

Iā€™m guessing, based on the flavor of the responses, that it is possible to do so with letsencrypt? In other words, it isnā€™t prohibited or impossible, right?

ā€“ The first hurdle

Thanks

For DNS wildcard support, check with your provider
For DNS provider compatibility with certbot API, take a look at the repository, look out for the certbot-dns-* directories.

If these ā€˜hurdlesā€™ donā€™t exist (if yes you have to change provider and/or buy a classic certificate) you can try to install the certbot client from PPA, preferably in a container since PPAs have a nasty habit of wrecking system dependencies, in a dedicated container itā€™s a no risk operation. As I said certbot-auto is out if you have to use DNS support and that is the case.

LXD container system works great on Ubuntu and has a very good support forum if you run into problems (for a default install and a vanilla container itā€™s very unlikely you will get problems)

I canā€™t be sure that wild card certificate will work in your specific case but I see no reason why not.

1 Like

If this is what i THINK it is Iā€™m blown away:

Iā€™m running a linode instance to serve my iste. but Iā€™m also using apace on that instance.

Am I understanding this correct? certbot comes in different flavors (so to say) and the one for linode (linked above) just has added support for linode? And, should I expect it to work with apache to auto generate a conf file form me?

Thanks

Unfortunately it seems that the PPA donā€™t include linode currently. So the only way is the Docker way. I have absolutely no idea on how to integrate certbot in Docker with a Web server (shudderā€¦). Even if the Linode plugin is included in the PPA at some point, Iā€™d not recommend using PPAs on a production server. I donā€™t know about using Docker on production servers, I know for a fact that quite a few people prefer to use Docker inside containers (that would not make web server integration any easier Iā€™m afraidā€¦)

Donā€™t forget that Certbot isnā€™t your only option.

acme.sh, Lego, etc are perfectly capable of supporting Linode DNS-01 out of the box.

It'd be more accurate to say that certbot has a variety of add-on scripts to support certain DNS providers, and what you link to is one of them. In general, though, certbot is a sub-optimal client if you're using DNS validation; you'd be better served with something like (as @_az mentioned) acme.sh.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.