wildcard-dns-certs.txt (1871B) [raw]
1 On Obtaining Wildcard DNS Certs 2 ------------------------------- 3 Sat Jan 1 23:56:53 EST 2022 4 5 NOTE: I *DO NOT* recommend following this advice in its current 6 form. I wanted to document it for my future self though, so here 7 goes. 8 9 I run a small site where I want a wildcard cert so that I can 10 cover non-public domains. In other words, if the site is 11 example.com, I want *.example.com so that things like 12 irc.example.com will have a valid cert even though the IP is 13 internal-only (behind wireguard). 14 15 Normally, I use acme-client(1) since it's in base OpenBSD and 16 works great... but to get a wildcard cert it seems necessary to 17 do a DNS challenge, which isn't supported. 18 19 While I'm sure there's many BETTER ways to do this, I had success 20 manually obtaining a cert like so, which, in its own right is 21 interesting to document since it says something about the 22 process: 23 24 # uacme issue example.com *.example.com 25 uacme: challenge=dns-01 ident=example.com token=TOKEN key_auth=KEY 26 uacme: type 'y' followed by a newline to accept challenge, anything else to skip 27 y 28 uacme: challenge=http-01 ident=example.com token=TOKEN key_auth=KEY 29 uacme: type 'y' followed by a newline to accept challenge, anything else to skip 30 y 31 32 The first prompt whas the DNS challenge--I had to make a TXT 33 record with the name _acme_challenge.example.com and put the KEY 34 value there. 35 36 The second was an HTTP challenge--I had to make a file with the 37 TOKEN name and put the KEY in its contents. The file had to be 38 accessible from: 39 40 GET example.com/.well-known/acme-challenge/TOKEN 41 42 My understanding is that the HTTP challenge is something 43 acme-client(1) does, but that the DNS challenge would require 44 working with a DNS provider that has an API (and a client that 45 understands it). For now, I've got a valid cert, a new sense of 46 understanding, and a few months to get the automation in place :)