Use Let's Encrypt to support HTTPS

[fregante]

Current configuration, it redirects any subdomain to https://twitter.com/fregante.

* CNAME twitter.com.opts-slash.fregante.opts-https.redirect.center

It works when visiting http URLs: (example using httpie)

❯ http http://wildcard.bfred.it
HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Content-Length: 62
Content-Type: text/plain; charset=utf-8
Date: Fri, 26 Jul 2019 11:00:31 GMT
Location: https://twitter.com/fregante
Vary: Accept
X-Powered-By: Express

Moved Permanently. Redirecting to https://twitter.com/fregante

But it doesn't when the URL is already HTTPS:

❯ http https://wildcard.bfred.it
http: error: Request timed out (30s).

Nowadays this can be done via Let's Encrypt, at least for requests following the first one (since it might take more than a few seconds to validate the domain)

[spinnerich]

Great idea because without https it's unusable for me!

[twieren]

Same problem here, http redirect works fine, https does not work.

[udleinati]

Unfortunately redirecting using https doesn't work because redirect.center needs the certificate for each domain, using DNS only it's not possible. I might create this possibility in the future but it needs to be a different project and might have some costs.

[theel0ja]

My experimental instance at https://redirect.lelux.fi/ supports HTTPS (uploading scripts&haproxy config soon).

It generates certificates (using certbot) & deploys the certificates to my HAProxy instance automatically uses Caddy on-demand TLS, triggered from loading the domain in a browser.

About A records:
If you can, please use CNAME flattening/ANAME/ALIAS records in a situation where you can't use CNAMEs (such as apex/"naked" domains) if your DNS provider supports them (Cloudflare/Gandi/DnsMadeEasy/Namecheap/etc. do). If you can't, set an A record.

Please do not point wildcards though, as it would get me ratelimited from LE's API when many of those subdomains are accessed by some scanner bots

And most of the subdomains would not work before a cert has to be generated, so users would get only TLS connection errors which would degrade the experience.

[theel0ja]

Code available here:

https://github.com/theel0ja/redirect.center-cert-ask

Uses Caddy for on-demand HTTPS and PHP script to validate CNAME (optional)

[tmackay-cenet]

We can frontend with nginx to add HTTPS. Let's Encrypt also supports wildcard domains which seem to work with the browsers I have tried. If hostname is redirect.center, obtain a certificate for *.center to cover all subdomains. I have also successfully frontended with AWS CloudFront using a wildcard alternate domain.

#!/bin/bash
sudo apt-get install -y nginx python3-certbot-nginx

# wildcard cert requires DNS validation (can be scripted using https://github.com/acmesh-official/acme.sh)
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.center --agree-tos --email bob@example.com --manual --preferred-challenges dns-01 certonly

cat <<EOT > /etc/nginx/sites-available/default
server {
  listen 80;
  server_name redirect.center;
  location / {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:3000;
  }
}
server {
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/center/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/center/privkey.pem;
  server_name redirect.center;
  location / {
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:3000;
  }
}
EOT

sudo systemctl restart nginx

Edit: Probably should mention this assumes all your redirect domains will share a common parent domain as ours do eg. test.center in this case.