Wildcard certificate (Not let's encrypt!)

Hi Guys… showing my ignorance here and looking for assistance. I historically bought Comodo wildcard certificates for my nethservers; this was done because I had alternate servers in the same domain hosting website or other apps. I used Comodo because I wanted a trusted certificate to avoid user agravation and letsencrypt doesn’t tick this box. Nethserver seemed to initially (at face value at least) work with the wildcard cert but i have since had issues - email access from android is crap (constantly prompting for password)… ldap seemed to get screwed up on one server too.

I’ve just noticed in documentation that wildcard certs not supported on nethserver so I’m making a face value assumption that my certificates are cause of problem above.

I’m looking for advice with next steps. Are there (clearly documented!) Mods I can make to use wildcard certs on nethserver? I’ve seen mention of acme dns but not got my head round whether this tool is limited to let’s encrypt or would work with Comodo certs too?

OR

should I run like hell from wildcard certs and pay for each cert for each server (Not my preference due go cost but if that’s reality then I’ll face it)

Bottom line is that I’m looking for a well documented fool proof route forward although I’ll settle for some well informed pointers in the right direction!

Thanks in advance for your support
Alex

In what way does Let’s Encrypt not tick this box?

Let’s Encrypt is now trusted in almost any platform.

Wildcards are not supported only for Let’s Encrypt.
But you can replicate almost the same behavior using multiple names inside the LE certificate.
By the way, we used a wildcard certificate from StartCom for years without problems.

Just go with LE.

I don’t have further doc beside the manual (http://docs.nethserver.org/en/v7/base_system.html#server-certificate).
As long you have x509 certificates in PEM format, you shouldn’t have any problem.

1 Like

…and has been since day 1. The only real exception is Comodo’s own Comodo Dragon browser, which is part of their ongoing and illegitimate crusade to devalue Let’s Encrypt in any way they can.

1 Like

Guys thanks for response - what I’m gleaning from the above is that I should go and use Let’s Encrypt!!! - this was what i originally did last year and im pretty sure i was getting complaints from outlook clients about the certificate not being from a trusted source - i will give it another go though because i was fairly new to nethserver at that point!

1 Like

Please let us know if it works for you.

In order to obtain a wildcard cert from Let’s Encrypt, you must use DNS validation. I’ve documented two different ways to do that:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

The former was written in the context of getting a cert for an internal server that isn’t directly accessible from the Internet, but the procedure is the same. If you have a compatible DNS provider, it’s the much simpler solution. If you don’t have (and aren’t able or willing to change to) a compatible DNS provider, or want a higher degree of security over your DNS records, the second method will work with pretty much any DNS host.

If you’re getting certificate errors from your clients, it’s almost always a configuration problem.

3 Likes