Richard Bucker

Wildcard Certificates or Not

Posted at — Nov 9, 2021

I am ever grateful for letsencrypt and acme services. It has made my life so much simpler even though I could pass the expence of authoritative certs to my customers it was a pain to execute and there was always some weird quirks and so many ways to fail.

Originally or initially, one could only register the subdomains individually. That meant that the admin had to process routes to a specific path as part of a callback scheme that letsencrypt could use to insure the requestor was who they said they were. This meant that all the relavent subdomains had to be installed on the nameserver etc and that the wellknown path was available on each server too. This method of challenge was called HTTP-01.

A few years ago acme started supporting wildcard certs. A wildcard cert is a keyset that can be copied to any of the servers in your farm and their services would be encrypted and identified as being owned by that domain. (see google) In order to validate wildcard domains HTTP-01 was insufficient. The admin had to prove that the entire domain was under control. And therefore acme created DNS-01 challenge. This method only works for a small number of nameserver providers like digitalocean or AWS but you have to provide full token credentials that allows acme to modify your nameservers. It should be clear why this is a bad idea especially when it’s a 3rd party service.

So the question is “to wildcard or not to wildcard”?

In my opinion I believe I was mistaken to support wildcard. I think in the old days I was concerned about the naked subdomain and routing my projects appropriately. (some browsers do not display the protocol or the subdomain when it’s www.) But also:

So stay away from wildcards.