Let's Encrypt: Wildcard Certificate With Certbot

heddi.nabbisen on May 04, 2019

* The cover image is originally by OpenClipart-Vectors and edited with great appreciation. Introduction Let's Encrypt supports wildc... [Read Full]
markdown guide

Would recommend using it along with acme-dns to get auto renewals working. If you use --manual, you'll have to manually renew the certificates every three months. You could use the API provider by your DNS provider (if supported by certbot or acme.sh), but it's not as secure as using acme-dns.


Thank you so much, Daniel.
I've found the problem in my solution owing to your advice.
The manual renewal requires a new TXT record every three months:
Nice Go OSS ๐Ÿ˜†

I updated my post.
Thank you, again!


Just curious. What is your use case for needing a wildcard cert?


Running different servers. Like www. domain and domain as web servers and jabber.domain and domain as jabber servers.
For instance.


You really shouldn't mix/combine the security of completely different services (thats what a certificate is - service identity) in a single certificate. The proper solution is to up the automation surrounding your service's build process to include the asynchronous process of obtaining a certificate for each service.

If you need multiple hostnames for the same certificate (AND KEYPAIR), you should be using SAN certificates, not wildcards.

If you need multiple endpoints with the same DNS hostname, you make that a common SAN across multiple certs for each individual TLS endpoint.

As a follow-up, IMO, the only valid use case for wild card certs is for self-contained private PKIs usedd internally with external certs for the exposed service endpoints. An example would be a private mini-CA dedicated (and trusted) only for inter-node internal connections within the cluster.

Dear MichaelKing1832
Thank you for your description and follow-up.
I'm so grateful to you ๐Ÿ™‚
I'll learn and get experienced much more...

Hey MichaelKing1832,

Do you have a reference source link for your statement: "You really shouldn't mix/combine the security of completely different services (thats what a certificate is - service identity) in a single certificate."

In a blog post of mine I want to link to your comment here but, also link to an official document/RFC.

Thanks a lot - and thanks heddi.nabbisen for this post!


On my home server, I route a variety of different outward facing apps to different sub domains, itโ€™s much easier for friends and family to remember app.domain.tld.


I am going to use it as an example ๐Ÿ˜„


I have a white label app that uses a subdomain to distinguish different brands - "coke.app.com" "pepsi.app.com" etc. Needs a wildcard cert to secure them all so we can add new subdomains whenever we want and not get ssl errors.


The main shortcoming of LetsEncrypt is that it's faster to renew my certificates than it is to write a CRON job to do it every three months, so years later I'm still doing them all manually


That seems more your shortcoming.
;) It isnt that hard to write such a cronjob, is it?


Certbot, the primary acme client, does this out of the box.


Not at all! But it's even less hard to not write one

Actually, I update manually now, too. Haha ๐Ÿ˜†
certbot renew is useful.
Well, I'll add a simple cron job in the near future, although automatic renewal without any writing is also my ideal... ๐Ÿ™‚


I would recommend using acme.sh script instead of certbot. Way less dependencies and way easier.

I wrote about it on my blog. (just search for plantroon blog if you're interested)


certbot is in the repository of most Linux distros... At least on Debian you can simply apt install certbot so it's actually easier to install than acme.sh is :)

Both are good options though!


That's true. But acme.sh is just one script to download, you don't really have to install it. I keep it in ~/.local/bin or /usr/local/bin on my systems. You need to supply hook scripts though, but that is required for Certbot too.


Thank you, Jakub, for your good information.
I found that (perhaps):
I haven't ever known of it since you told me ๐Ÿ˜€


Thank you for your good information.
While I use OpenBSD servers and thus am unfamiliar with using docker, it seems to enable us almost anything โ˜บ๏ธ

code of conduct - report abuse