New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do you support Wildcard Subdomain #66

Closed
gremdev opened this Issue Nov 23, 2014 · 69 comments

Comments

Projects
None yet
@gremdev

gremdev commented Nov 23, 2014

[Moderator's note: If you'd like to express your support for wildcard issuance, please hit 'like' on this thread on the community forum rather than opening an issue.]

Hi, I have a question. Does Let's Encrypt supports wildcard subdomain or just just the main domain/www only? Thanks.

@bdaehlie

This comment has been minimized.

Show comment
Hide comment
@bdaehlie

bdaehlie Nov 23, 2014

We have not decided whether or not to support wildcards yet. Support for wildcards will most likely not be part of our initial offering.

bdaehlie commented Nov 23, 2014

We have not decided whether or not to support wildcards yet. Support for wildcards will most likely not be part of our initial offering.

@jbiel

This comment has been minimized.

Show comment
Hide comment
@jbiel

jbiel Jan 6, 2015

+1. We make use of wildcard certs in lots of places and this would be very useful to us. They help us reduce our administrative overhead by simply installing one cert rather than one for each hostname.

jbiel commented Jan 6, 2015

+1. We make use of wildcard certs in lots of places and this would be very useful to us. They help us reduce our administrative overhead by simply installing one cert rather than one for each hostname.

@jdkasten

This comment has been minimized.

Show comment
Hide comment
@jdkasten

jdkasten Jan 6, 2015

Contributor

@jbiel If it helps, we will support names with multiple Subject Altnerative Names (SANs or UCC certificates in the CA nomenclature) at launch. This would allow you to simply specify your names ahead of time and get a single certificate for all of them.

This does create a hassle when you do add a new subdomain, but hopefully the 30 second process shouldn't be that large of a problem.

Contributor

jdkasten commented Jan 6, 2015

@jbiel If it helps, we will support names with multiple Subject Altnerative Names (SANs or UCC certificates in the CA nomenclature) at launch. This would allow you to simply specify your names ahead of time and get a single certificate for all of them.

This does create a hassle when you do add a new subdomain, but hopefully the 30 second process shouldn't be that large of a problem.

@jbiel

This comment has been minimized.

Show comment
Hide comment
@jbiel

jbiel Jan 6, 2015

@jdkasten - thanks. I certainly can't complain about whatever decision is made (these certs are free after all!) However, changing a cert is not a 30 second process for everyone. Deployment architectures can be very complex and spread across many servers/technologies (ELBs, haproxy (which needs to be restarted), etc.) I can see how changing the certificate on a single development server would be very quick, but changing SSL certs isn't something I look forward to in any case. :)

jbiel commented Jan 6, 2015

@jdkasten - thanks. I certainly can't complain about whatever decision is made (these certs are free after all!) However, changing a cert is not a 30 second process for everyone. Deployment architectures can be very complex and spread across many servers/technologies (ELBs, haproxy (which needs to be restarted), etc.) I can see how changing the certificate on a single development server would be very quick, but changing SSL certs isn't something I look forward to in any case. :)

@lbadger

This comment has been minimized.

Show comment
Hide comment
@lbadger

lbadger Feb 26, 2015

+1 to support wildcard certs!

lbadger commented Feb 26, 2015

+1 to support wildcard certs!

@rcc26

This comment has been minimized.

Show comment
Hide comment
@rcc26

rcc26 Feb 26, 2015

As far as I know wildcard support is not implemented and won't be.

Lance Badger notifications@github.com escreveu no dia qui, 26/02/2015 às
17:59:

+1 to support wildcard certs!


Reply to this email directly or view it on GitHub
#66 (comment)
.

rcc26 commented Feb 26, 2015

As far as I know wildcard support is not implemented and won't be.

Lance Badger notifications@github.com escreveu no dia qui, 26/02/2015 às
17:59:

+1 to support wildcard certs!


Reply to this email directly or view it on GitHub
#66 (comment)
.

@coe-jeubanks

This comment has been minimized.

Show comment
Hide comment
@coe-jeubanks

coe-jeubanks Apr 8, 2015

Hi everyone, before you make the final decision on this topic, I hope you'll consider a real world example where wildcard certs are more than a convenience. In IIS, only one certificate can be specified for a site (which runs from a single folder). If a CMS in that IIS site folder serves multiple subdomains, then a wildcard certificate is required in order to secure all of them.

So without wildcard certificate support, that class of customer (my organization included) would be unable to use letsencrypt. Thanks for your consideration of this feature! I'm really looking forward to seeing how it all comes together, especially from a Windows perspective.

coe-jeubanks commented Apr 8, 2015

Hi everyone, before you make the final decision on this topic, I hope you'll consider a real world example where wildcard certs are more than a convenience. In IIS, only one certificate can be specified for a site (which runs from a single folder). If a CMS in that IIS site folder serves multiple subdomains, then a wildcard certificate is required in order to secure all of them.

So without wildcard certificate support, that class of customer (my organization included) would be unable to use letsencrypt. Thanks for your consideration of this feature! I'm really looking forward to seeing how it all comes together, especially from a Windows perspective.

@diracdeltas

This comment has been minimized.

Show comment
Hide comment
@diracdeltas

diracdeltas Apr 8, 2015

Contributor

@coe-jeubanks Thanks for the info. Please see letsencrypt/acme-spec#64 and letsencrypt/acme-spec#97 for the current wildcard discussion.

Contributor

diracdeltas commented Apr 8, 2015

@coe-jeubanks Thanks for the info. Please see letsencrypt/acme-spec#64 and letsencrypt/acme-spec#97 for the current wildcard discussion.

@mscreenie

This comment has been minimized.

Show comment
Hide comment
@mscreenie

mscreenie Jun 27, 2015

Definitely need wildcard certs. It will reduce sys admins workloads.

pls spoderman.

mscreenie commented Jun 27, 2015

Definitely need wildcard certs. It will reduce sys admins workloads.

pls spoderman.

@blieque

This comment has been minimized.

Show comment
Hide comment
@blieque

blieque Jun 28, 2015

I'll chime in, with a familiar tone. Wildcard certificates would make life much easier.

blieque commented Jun 28, 2015

I'll chime in, with a familiar tone. Wildcard certificates would make life much easier.

@oliverjanik

This comment has been minimized.

Show comment
Hide comment
@oliverjanik

oliverjanik Jul 14, 2015

@coe-jeubanks You can have multiple certs in IIS if you enable SNI

oliverjanik commented Jul 14, 2015

@coe-jeubanks You can have multiple certs in IIS if you enable SNI

@uakfdotb

This comment has been minimized.

Show comment
Hide comment
@uakfdotb

uakfdotb Aug 8, 2015

Wildcard certificates are also necessary for websites that use the subdomain to generate dynamic content. For example https://onion.to

uakfdotb commented Aug 8, 2015

Wildcard certificates are also necessary for websites that use the subdomain to generate dynamic content. For example https://onion.to

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost commented Aug 12, 2015

+1

4 similar comments
@NurdTurd

This comment has been minimized.

Show comment
Hide comment
@NurdTurd

NurdTurd commented Aug 12, 2015

+1

@mesouug

This comment has been minimized.

Show comment
Hide comment
@mesouug

mesouug commented Aug 16, 2015

+1

@mjbrownie

This comment has been minimized.

Show comment
Hide comment
@mjbrownie

mjbrownie commented Aug 19, 2015

+1

@lewie

This comment has been minimized.

Show comment
Hide comment
@lewie

lewie commented Aug 19, 2015

+1

@AustinPaquette

This comment has been minimized.

Show comment
Hide comment
@AustinPaquette

AustinPaquette commented Aug 19, 2015

+5

@sam3d

This comment has been minimized.

Show comment
Hide comment
@sam3d

sam3d Aug 25, 2015

+1

As someone who works with changing virtual hosts a lot (in a Heroku-like scenario) having wildcard subdomains would be absolutely incredible!

sam3d commented Aug 25, 2015

+1

As someone who works with changing virtual hosts a lot (in a Heroku-like scenario) having wildcard subdomains would be absolutely incredible!

@frederich

This comment has been minimized.

Show comment
Hide comment
@frederich

frederich commented Sep 1, 2015

+1

2 similar comments
@tvvocold

This comment has been minimized.

Show comment
Hide comment
@tvvocold

tvvocold commented Sep 1, 2015

+1

@pinki

This comment has been minimized.

Show comment
Hide comment
@pinki

pinki commented Sep 11, 2015

+1

@jdkasten

This comment has been minimized.

Show comment
Hide comment
@jdkasten

jdkasten Sep 11, 2015

Contributor

This is the client code repo. Policy discussions should be had elsewhere.

https://community.letsencrypt.org/t/please-support-wildcard-certificates/258

Some other work and discussion...
letsencrypt/acme-spec#97

Contributor

jdkasten commented Sep 11, 2015

This is the client code repo. Policy discussions should be had elsewhere.

https://community.letsencrypt.org/t/please-support-wildcard-certificates/258

Some other work and discussion...
letsencrypt/acme-spec#97

@NGenesis

This comment has been minimized.

Show comment
Hide comment
@NGenesis

NGenesis commented Sep 17, 2015

+1

1 similar comment
@carras

This comment has been minimized.

Show comment
Hide comment
@carras

carras commented Sep 21, 2015

+1

@lewie

This comment has been minimized.

Show comment
Hide comment
@lewie

lewie Oct 27, 2015

Sorry, but you FranBar did not understand what a real desert is, or to hope stay the only seller of water in desert? ;-)

Self-signed certificates are no option for anybody it is a crutch from air.
To become a little more safety is an initiative like letsencrypt and all and you know this exactly.

lewie commented Oct 27, 2015

Sorry, but you FranBar did not understand what a real desert is, or to hope stay the only seller of water in desert? ;-)

Self-signed certificates are no option for anybody it is a crutch from air.
To become a little more safety is an initiative like letsencrypt and all and you know this exactly.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Oct 27, 2015

With the desert simile not intended to criticize the project, only anger with wildcard +1.

I do not care if they are certified in one kind or another, but we need a fast, simple and free system to encrypt the traffic, including wildcards, the current situation is anachronistic.

ghost commented Oct 27, 2015

With the desert simile not intended to criticize the project, only anger with wildcard +1.

I do not care if they are certified in one kind or another, but we need a fast, simple and free system to encrypt the traffic, including wildcards, the current situation is anachronistic.

@HLFH

This comment has been minimized.

Show comment
Hide comment
@HLFH

HLFH Oct 27, 2015

.@angristan and I are also adding with anger our +2.

Image of Yaktocat

@jmhodges You just have to reopen this issue if you're extremely aware...

HLFH commented Oct 27, 2015

.@angristan and I are also adding with anger our +2.

Image of Yaktocat

@jmhodges You just have to reopen this issue if you're extremely aware...

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Oct 28, 2015

So angry can even affect your health.

ghost commented Oct 28, 2015

So angry can even affect your health.

@angristan

This comment has been minimized.

Show comment
Hide comment
@angristan

angristan Oct 28, 2015

I'm not as angry as my name would let you think, but I add of course my +1. Generating a certificate for each subdomain is such a pain... I would be a great feature for Let's encrypt. At this point, does it even support subdomains ?

angristan commented Oct 28, 2015

I'm not as angry as my name would let you think, but I add of course my +1. Generating a certificate for each subdomain is such a pain... I would be a great feature for Let's encrypt. At this point, does it even support subdomains ?

@rcc26

This comment has been minimized.

Show comment
Hide comment
@rcc26

rcc26 Oct 28, 2015

Why are we even still discussing wildcard? This is already free, get your
contempt down. It's sad when people don't understand the problem of using
wildcard and keep bashing about it just because they are too lazy to build
their own (sub)domain records which considers lazyness over security.

Angristan notifications@github.com schrieb am Mi., 28. Okt. 2015 08:55:

I'm not as angry as my name would let you think, but I add of course my
+1. Generating a certificate for each subdomain is such a pain... I would
be a great feature for Let's encrypt. At this point, does it even support
subdomains ?


Reply to this email directly or view it on GitHub
#66 (comment)
.

rcc26 commented Oct 28, 2015

Why are we even still discussing wildcard? This is already free, get your
contempt down. It's sad when people don't understand the problem of using
wildcard and keep bashing about it just because they are too lazy to build
their own (sub)domain records which considers lazyness over security.

Angristan notifications@github.com schrieb am Mi., 28. Okt. 2015 08:55:

I'm not as angry as my name would let you think, but I add of course my
+1. Generating a certificate for each subdomain is such a pain... I would
be a great feature for Let's encrypt. At this point, does it even support
subdomains ?


Reply to this email directly or view it on GitHub
#66 (comment)
.

@angristan

This comment has been minimized.

Show comment
Hide comment
@angristan

angristan Oct 28, 2015

Why wildcards exist then ?

angristan commented Oct 28, 2015

Why wildcards exist then ?

@oliverjanik

This comment has been minimized.

Show comment
Hide comment
@oliverjanik

oliverjanik Nov 2, 2015

@rcc26 Where can I get free wildcard certs accepted by all major browsers? For environments like ELB on AWS you can only have one ssl cert per ELB. Wildcards solve real problems people have.

oliverjanik commented Nov 2, 2015

@rcc26 Where can I get free wildcard certs accepted by all major browsers? For environments like ELB on AWS you can only have one ssl cert per ELB. Wildcards solve real problems people have.

@svennek

This comment has been minimized.

Show comment
Hide comment
@svennek

svennek Nov 3, 2015

Actually the (open source) web-platform sandstorm (http://sandstorm.io) NEEDS wildcard to run, else it will be completely unprotected...

svennek commented Nov 3, 2015

Actually the (open source) web-platform sandstorm (http://sandstorm.io) NEEDS wildcard to run, else it will be completely unprotected...

@ccatlett2000

This comment has been minimized.

Show comment
Hide comment
@ccatlett2000

ccatlett2000 Nov 10, 2015

@rcc26 As others have said, some services mint wildcards on the fly, and therefore need wildcard support. Some of these services cannot afford to wait 30 seconds when a new subdomain is accessed. In example, https://onion.to uses subdomains as input.

Some applications of wildcards aren't laziness but legitimate design decisions.

In relation to wildcards, +1

ccatlett2000 commented Nov 10, 2015

@rcc26 As others have said, some services mint wildcards on the fly, and therefore need wildcard support. Some of these services cannot afford to wait 30 seconds when a new subdomain is accessed. In example, https://onion.to uses subdomains as input.

Some applications of wildcards aren't laziness but legitimate design decisions.

In relation to wildcards, +1

@ducktype

This comment has been minimized.

Show comment
Hide comment
@ducktype

ducktype commented Nov 10, 2015

+1

@kyrylkov

This comment has been minimized.

Show comment
Hide comment
@kyrylkov

kyrylkov Nov 11, 2015

+1

Wildcard certs are required by IBM Bluemix - Only wildcard certificates are supported by Bluemix

https://developer.ibm.com/bluemix/2014/09/28/ssl-certificates-bluemix-custom-domains/

kyrylkov commented Nov 11, 2015

+1

Wildcard certs are required by IBM Bluemix - Only wildcard certificates are supported by Bluemix

https://developer.ibm.com/bluemix/2014/09/28/ssl-certificates-bluemix-custom-domains/

@hyusetiawan

This comment has been minimized.

Show comment
Hide comment
@hyusetiawan

hyusetiawan Nov 13, 2015

considering that wildcard costs a lot more from commercial CAs, it would be very beneficial for us to have it.

hyusetiawan commented Nov 13, 2015

considering that wildcard costs a lot more from commercial CAs, it would be very beneficial for us to have it.

@s0r00t

This comment has been minimized.

Show comment
Hide comment
@s0r00t

s0r00t Nov 14, 2015

+1
Wildcards are expensive, and it would be very useful for a lot of tools, such as ngrok, or YunoHost.

s0r00t commented Nov 14, 2015

+1
Wildcards are expensive, and it would be very useful for a lot of tools, such as ngrok, or YunoHost.

@chmduquesne

This comment has been minimized.

Show comment
Hide comment
@chmduquesne

chmduquesne Nov 15, 2015

+1

I use 26 domain names in my lighttpd.conf, and I am glad this is the only file I have to maintain. I would like to keep it that way.

chmduquesne commented Nov 15, 2015

+1

I use 26 domain names in my lighttpd.conf, and I am glad this is the only file I have to maintain. I would like to keep it that way.

@mloffer

This comment has been minimized.

Show comment
Hide comment
@mloffer

mloffer commented Nov 16, 2015

+1

@VarunAgw

This comment has been minimized.

Show comment
Hide comment
@VarunAgw

VarunAgw Nov 16, 2015

+1. StartSSL already offers a free SSL certificate. Single domain certificate in general are not very costly either. But currently there is no way to get a wildcard certificate for cheap.

VarunAgw commented Nov 16, 2015

+1. StartSSL already offers a free SSL certificate. Single domain certificate in general are not very costly either. But currently there is no way to get a wildcard certificate for cheap.

@TheAmeliaDeWitt

This comment has been minimized.

Show comment
Hide comment
@TheAmeliaDeWitt

TheAmeliaDeWitt Nov 17, 2015

I want to say that I totally understand not implementing wildcard subdomains at the moment, you need to focus on the general product first, but please AS SOON AS POSSIBLE.
I too have similar issues of needing to add a subdomain at a moments notice, while it was previously suggested to rerun the script each time you need to add a subdomain, I want to point out this is NOT an option because I just received my beta invite and according to it, each domain and subdomain needs to be whitelisted explicitly, one can't just whitelist the TLD and expect all subdomains to whitelist. So now I'm disappointed because I have to resubmit my beta request with all my current subdomains and resubmit a beta request for each subdomain I add in the future, so now I'm waiting a few weeks again.

TheAmeliaDeWitt commented Nov 17, 2015

I want to say that I totally understand not implementing wildcard subdomains at the moment, you need to focus on the general product first, but please AS SOON AS POSSIBLE.
I too have similar issues of needing to add a subdomain at a moments notice, while it was previously suggested to rerun the script each time you need to add a subdomain, I want to point out this is NOT an option because I just received my beta invite and according to it, each domain and subdomain needs to be whitelisted explicitly, one can't just whitelist the TLD and expect all subdomains to whitelist. So now I'm disappointed because I have to resubmit my beta request with all my current subdomains and resubmit a beta request for each subdomain I add in the future, so now I'm waiting a few weeks again.

@njb-said

This comment has been minimized.

Show comment
Hide comment
@njb-said

njb-said Nov 17, 2015

@ChioriGreene I am in exactly the same position as you and second your comment 👍

njb-said commented Nov 17, 2015

@ChioriGreene I am in exactly the same position as you and second your comment 👍

@TheAmeliaDeWitt

This comment has been minimized.

Show comment
Hide comment
@TheAmeliaDeWitt

TheAmeliaDeWitt Nov 17, 2015

@njb-said I did just see the announcement that Public Beta is coming December 3rd, so this should remedy the Beta Invite problem unless that is they still require whitelisting in one way or other.

TheAmeliaDeWitt commented Nov 17, 2015

@njb-said I did just see the announcement that Public Beta is coming December 3rd, so this should remedy the Beta Invite problem unless that is they still require whitelisting in one way or other.

@VarunAgw

This comment has been minimized.

Show comment
Hide comment
@VarunAgw

VarunAgw Nov 17, 2015

Letsencrypt will be in public beta soon so I think white-listing sub-domain will be instant after that.

https://letsencrypt.org/2015/11/12/public-beta-timing.html

VarunAgw commented Nov 17, 2015

Letsencrypt will be in public beta soon so I think white-listing sub-domain will be instant after that.

https://letsencrypt.org/2015/11/12/public-beta-timing.html

@Yamakaky

This comment has been minimized.

Show comment
Hide comment
@Yamakaky

Yamakaky Nov 17, 2015

Don't close the issue, it's not solved.

Yamakaky commented Nov 17, 2015

Don't close the issue, it's not solved.

@ukkpower

This comment has been minimized.

Show comment
Hide comment
@ukkpower

ukkpower commented Nov 23, 2015

+1

3 similar comments
@elpado

This comment has been minimized.

Show comment
Hide comment
@elpado

elpado commented Nov 24, 2015

+1

@GodMod

This comment has been minimized.

Show comment
Hide comment
@GodMod

GodMod commented Nov 28, 2015

+1

@smarek

This comment has been minimized.

Show comment
Hide comment
@smarek

smarek commented Nov 28, 2015

+1

@NHellFire

This comment has been minimized.

Show comment
Hide comment
@NHellFire

NHellFire Nov 29, 2015

It'd be good to have wildcard certificates. One of my sites, subdomains are dynamically generated.. currently there's ~220 in use. I could script it to get a new certificate when a new subdomain is requested.. but that leaves some issues, neither of which I like.
I'd have to either..
a) One cert for all subdomains, which then means there's a list of the ones in use.
or b) One cert per subdomain and a script to generate a huge config file.
Either way the subdomain is left without a valid certificate for couple minutes.

NHellFire commented Nov 29, 2015

It'd be good to have wildcard certificates. One of my sites, subdomains are dynamically generated.. currently there's ~220 in use. I could script it to get a new certificate when a new subdomain is requested.. but that leaves some issues, neither of which I like.
I'd have to either..
a) One cert for all subdomains, which then means there's a list of the ones in use.
or b) One cert per subdomain and a script to generate a huge config file.
Either way the subdomain is left without a valid certificate for couple minutes.

@zaninime

This comment has been minimized.

Show comment
Hide comment
@zaninime

zaninime commented Nov 29, 2015

+1

@certbot certbot locked and limited conversation to collaborators Nov 30, 2015

@jmhodges

This comment has been minimized.

Show comment
Hide comment
@jmhodges

jmhodges Nov 30, 2015

Contributor

Hey, folks, thanks for the input! We're super aware of this feature request. Wildcard support is highly desirable for us, too! However, doing domain validation for wildcard certificates is not currently in the ACME spec because it's a hard problem. We want to get it right in Let's Encrypt, right in the ACME spec, and, currently, we're swamped in work getting Let's Encrypt ramped up for the Public Beta on December 3rd and the General Availability release some time after that.

I've locked this discussion to keep it from spamming and confusing folks. If you'd like to express your support for wildcard certificates, please like the thread on the community site. Thanks, y'all!

Contributor

jmhodges commented Nov 30, 2015

Hey, folks, thanks for the input! We're super aware of this feature request. Wildcard support is highly desirable for us, too! However, doing domain validation for wildcard certificates is not currently in the ACME spec because it's a hard problem. We want to get it right in Let's Encrypt, right in the ACME spec, and, currently, we're swamped in work getting Let's Encrypt ramped up for the Public Beta on December 3rd and the General Availability release some time after that.

I've locked this discussion to keep it from spamming and confusing folks. If you'd like to express your support for wildcard certificates, please like the thread on the community site. Thanks, y'all!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.