Let’s encrypt wildcard certificates

letsencrypt

(Евгений Копьев) #1

let’s encrypt has already started issuing wildcard certificates, is there an update planned?


External DNS server?
(Dan) #2

Issuing wildcard certs requires DNS validation, which presents a few problems:

  • certbot, the “official” ACME client, which is what ships with Nethserver, doesn’t do DNS validation very well; some of the alternate clients do it quite a bit more conveniently.
  • Many DNS hosts don’t offer an API to allow for automated changes to your DNS records. Without this, you’d need to make manual changes to your DNS TXT records for every renewal.
  • Of the DNS hosts that do provide an API, they’re all different, and require different parameters and different request formats. This would make it hard, I think, to package up something that would work for most users.

DNS validation isn’t hard to do with an appropriate client and the right DNS host. Here’s something I wrote up about it:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers


(Евгений Копьев) #3

I already got one for my domain *.domen.ru certificate, like would on the flow of put, I have 3 domain for netserver. I would like to netserver automatically can get wildcard certificates, and then you can pick them up from the vault and post a host script.


(Dan) #4

I’m afraid I don’t understand what you’re saying. You want to get wildcard certs for three different domains, none of which is the domain that you’re serving with your nethserver. You then want to deploy those certs to the servers that do host those domains. Is that right?

Edit: After re-reading your post, I think it isn’t right–it rather sounds like you want a single wildcard cert for all three domains, and you want that cert to be active on your Nethserver installation. If that’s correct, the link I gave above will give the basic instructions, you’d just specify your domains differently. It’d look like this:

acme.sh --issue --dns dns_cf -d domain1.tld -d *.domain1.tld \
  -d domain2.tld -d *.domain2.tld \
  -d domain3.tld -d *.domain3.tld \
  --cert-file /etc/pki/tls/certs/cert.pem \
  --ca-file /etc/pki/tls/certs/chain.pem \
  --key-file /etc/pki/tls/private/privkey.pem \
  --reloadcmd "/sbin/e-smith/signal-event certificate-update"

You’d need to include both domain.tld and *.domain.tld on the cert because *.domain.tld doesn’t include domain.tld.

If your DNS is with someone other than Cloudflare, you’d need to see if they have a compatible API, and then modify the instructions accordingly.


(Евгений Копьев) #5

I know how to do it manually. I would like the same functionality in the web gui.


(Giacomo Sanchietti) #6

We currently have no plans to add DNS verification for Let’s Encrypt certificate.
But, as always, any contribute is welcome!

If you need, I can point to the pieces of code which need to be extended.


(Dan) #7

As I wrote above, I think this would be hard to package up for a few strong reasons. However, there’s an option that would let you host only the validation records locally. This would give a standard API on the Nethserver end, so the Neth configuration could be standardized. Some manual setup would still be needed with the main DNS host though.

Edit: The idea is that you’d run a small DNS server locally, whose purpose would only be to serve the TXT records used in DNS validation. Since you control that software, you know what its API is like. You’d publish CNAME records with your regular DNS host pointing just the validation hostname (_acme-challenge.domain, IIRC) to the Neth box. The user would need to set those CNAME records manually, but that would be a one-time thing; everything else could be packaged.