Richard Bucker

Certbot Acme Client Wildcard Domain Letsencrypt

Posted at — Sep 13, 2021

I am/was a firm believer in a wildcard domain. Back in the days prior to Let's Encrypt you would have to pay big money for an SSL cert… and then there was the expiration date and all the nasty bits that follow. In the DevOps world there was little validation. 15 years ago I built a data vault that required certs be refreshed once a year if not once every 3 years. The problem with this was that the documentation I created was terrible although it improved year over year… but every year there was a danger that the vault would totally fail… as it did at least once. (this was truly a SD-HSM)

With the advent of Let’s Encrypt and the EFF’s Acme client many of these challenges have been buffed out.

All is not rainbows and unicorns. A “Challenge” is a protocol defined by LE that defines how LE will determine you are who you say you are. The two most popular are HTTP and DNS. The HTTP challenge means that your DNS must resolve to your server and that you have an HTTP(s) path that resolves to a well defined static path. The ACME/Certbot client will create some files in that folder and ping the LE server which will in turn test the file as proof of ownership for each subdomain. The HTTP Challenge does not support wildcard domains.

The DNS challenge means that you need access to your DNS server and you need to hand those credentials over to the certbot which will then perform a similar task, however, this time it creates TXT records on the DNS server.

There are a number of problems here…

So here I am… I have nearly 20 domains that I manage. I registerted them with Google-Domains and moved them to DigitalOcean. Now I’m starting to learn that D.O. uses OpenStack and frankly I’ve asked some questions that customer service seems incapable of answering. Now because I have my DNS hosted at DO I have to spend weeks moving everything around and reconfiguring my certbot configuration. I suppose DNS-Challenge would be better if I owned my own nameservers but then that has it’s own challenges too. More moving parts and more interdependence.

So the plan is move from DNS-Challenge to HTTP-Challenge and determine whether I can share the same folder for each sundomain assuming they are resolved serially and not in parallel.