Wildcard domains (*.example.com) #52
Comments
|
You can already use wildcards, just give CertMagic a domain like |
|
@mholt this does not work for ondemand certificates |
|
Can you be more specific about what you need then? |
|
Also, what is your use case for on-demand TLS with wildcard certificates? |
|
@mholt I think the use case can be summarized like this:
Practical examples:
In both cases there are two major considerations:
Potentially, adding a function |
|
@DSpeichert Thanks, let me bounce back some thoughts on that:
Using Let's Encrypt at least, this is an impractical scenario for wildcard certificates, because getting a wildcard from Let's Encrypt requires the DNS challenge. So if customers are in charge of their own domains, you can't configure the DNS challenge. It remains to be seen what requirements are from other ACME CAs regarding wildcard certs.
Assuming in this scenario, you are in control of the domains? Or not? I ask about whether you're in control of the domains or know about them, because if you are, it is very easy to tell CertMagic to manage wildcards: Am willing to add a feature of some sort, but need to be convinced of the need for it first. Further clarity and specifics would be helpful. |
Let me try to clarify the example. In this scenario, for the SaaS provider hosts (or controls) the DNS servers that the domain name should be parked on. However, it does not own the domain. Throughout the signup process, a customer is asked to point the NS records for the domain name to be the DNS servers of the SaaS provider. Therefore, the SaaS provider can then complete the challenge for DNS-based wildcard certificate validation. However, the timing of that is uncertain for the SaaS provider. They need to be ready the moment the domain is actually "live" (pointed at their DNS) but that may never happen (customers change their mind). That's where the on-demand functionality offered by certmagic fits very well - an incoming request asking for a certificate for a given domain name is a pretty good indication that the DNS change has propagated and the SaaS provider indeed (in this example) controls DNS. Thanks for mentioning Having an on-demand option with a whitelist of allowed domain names is just like ManageAsync with delayed fuse to avoid hitting limits on open validations with e.g. Let's Encrypt. Naturally, the problem of verifying whether the app actually can control DNS could be shifted to the app and only after positive verification would the app call |
|
What if the DNS challenge takes an hour to complete? (This is not uncommon.) |
|
That would be equally bad as waiting an hour for a DNS challenge that will never actually succeed (as a result of I guess the desired outcome, to answer your question, would be to simply behave as if I would understand if you deem this problem too specific to accommodate in the library by default. |
No, because with on-demand that waiting happens in the foreground. (I think we actually terminate it after a couple of minutes because a client is waiting to finish the connection. That might even be too long as-is.) In the current setup, it all happens in the background, all the meanwhile falling back to a staging environment that doesn't count against your rate limits.
Maybe a better solution is to poll DNS or something?
We just need to find a workable solution before implementing it. |
Would like to have wildcard domain support, right now certificates are issued for every subdomain i.e
1234.example.com
43443.example.com
have separate certificates.
We should create 1 certificate with *.example.com, and use it instead for every subdomain.
This would be helpful for services which serve subdomains.
Can start working on this if i have your ok @mholt
The text was updated successfully, but these errors were encountered: