Hi all,

Let's Encrypt releases wildcard support


There are a few catches, though:

- Wildcard LE certificates are only available if ACMEv2 protocol is used
during the certificate request. We use "certbot", which (in theory)
supports ACMEv2, but the BlueOnyx GUI currently uses it via ACMEv1
protocol at this time.

- DNS-01 verification is a must for Wildcard certificates. Means: A
special TXT DNS record must be set up for the verification of a Wildcard
LE cert. If you use BlueOnyx for DNS we can of course automate that. If
you don't? Then you have to do it manually. But that also means that
auto-renewal for certs is unpractical if you use an external DNS server.
Which sort of sucks.

Also: A typical reason to use Wildcard certs is because you have one
certificate that you install on multiple servers and/or multiple Vsites
of the same domain name.

The short validity of the LE wildcard certs (90 days - like regular LE
certificates as well) and the manual hassle involved with deploying and
renewing that LE wildcard cert to all boxes or Vsites that need it make
it sort of impractical. It's rather more practical to use standard LE
certs everywhere and just turn on auto-renewal and be done with it.

However: I'll be implementing ACMEv2 and (optional) Wildcard LE support
into BlueOnyx. It just doesn't get immediate attention due to other
(more universally useful) enhancements that in the works.

With best regards

Michael Stauber
Blueonyx mailing list

Reply via email to