Lego: Wildcard certificates for http01 challenge

Created on 14 Jul 2020  Â·  5Comments  Â·  Source: go-acme/lego

Hi Team,

As per the doc, I have seen it's not possible to generate wildcard certificates for http01 challenge. Can you kindly let me know if this is possible by creating wildcard dns records and then create wildcard certificates? This is very important for us

$ cat thermeon.com.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: thermeon.com
  namespace: thermeon-webs-gateway
spec:
  acme:
    config:
    - http01:
        ingress: thermeon-webs-gateway
      domains:
      - ‘*.thermeon.com.au'
      - ‘*.thermeon.com'
      - ‘thermeon.com'
      - ‘*.thermeon.eu'
  commonName: 'thermeon.com'
  dnsNames:
      - ‘*.thermeon.com.au'
      - ‘*.thermeon.com'
      - ‘thermeon.com'
      - ‘*.thermeon.eu'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-production
  secretName: thermeon-tls

Thanks,
Suv

question
Source
picture suvsap

All 5 comments

Hello,

certmanager is not lego:

To get wildcard certificates, you have to use DNS-01 challenge, it is related to the nature of this challenge.
It's not a lego limitations, it's related to the specification of this challenge the Let's Encrypt policies.

So it's impossible for all the ACME Let's Encrypt clients to get a wildcard certificate without the DNS-01 challenge.

ldez picture ldez on 14 Jul 2020

So it's impossible for all the ACME clients to get a wildcard certificate without the DNS-01 challenge.

I believe it is possible that an ACME CA could choose to issue wildcard certificates with a challenge mechanism other than DNS-01 (_though I don't know of any that exist!_). The link between the two is Let's Encrypt specific policy and not a product of the specification.

cpu picture cpu on 14 Jul 2020
👍1

I never thought that if a server implementing ACME and also being a domain provider, it could, for the domains it manages, use the challenges TLS-ALPN-01 or HTTP-01 to produce a wildcard certificate.
It's a bit tortuous but it's a possibility.

Thanks for the precision :+1:

ldez picture ldez on 14 Jul 2020

Thanks @ldez and @cpu for your prompt response.

Can you kindly guide how to produce a wildcard certificate with http01 challenge for the below yaml? What we need to do?

$ cat thermeon.com.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: thermeon.com
  namespace: thermeon-webs-gateway
spec:
  acme:
    config:
    - http01:
        ingress: thermeon-webs-gateway
      domains:
      - ‘*.thermeon.com.au'
      - ‘*.thermeon.com'
      - ‘thermeon.com'
      - ‘*.thermeon.eu'
  commonName: 'thermeon.com'
  dnsNames:
      - ‘*.thermeon.com.au'
      - ‘*.thermeon.com'
      - ‘thermeon.com'
      - ‘*.thermeon.eu'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-production
  secretName: thermeon-tls
suvsap picture suvsap on 14 Jul 2020

@suvsap once again:

  • currently, with Let's Encrypt it's not possible to use HTTP-01 to create a wildcard certificate.
  • lego is not certmanager, please open an issue on the right repository https://github.com/jetstack/cert-manager
ldez picture ldez on 14 Jul 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AlbinOS picture AlbinOS  Â·  3Comments
mhoran picture mhoran  Â·  4Comments
kuuji picture kuuji  Â·  4Comments
Kuchenm0nster picture Kuchenm0nster  Â·  4Comments
kop picture kop  Â·  5Comments