Wildcard support ?

[exxosuk]

Looking though the issues here, I cant work out if wildcard is supported or not ?

I mean I tried

./get ssl -c *.exxosserver.co.uk

Which created *.exxosserver.co.uk folders...

But then..

./getssl *.exxosserver.co.uk
*.exxosserver.co.uk: cannot use http-01 validation for wildcard domains
*.exxosserver.co.uk: cannot use http-01 validation for wildcard domains
getssl: *.exxosserver.co.uk: exiting due to config errors

ACL stuff...

SANS='*.exxosserver.co.uk'
ACL=('/var/www/html/.well-known/acme-challenge'
'/var/www/html/.well-known/acme-challenge')

So am I doing something wrong, or is this still not supported ? Thanks.

[timkimber]

Hi @exxosuk

Yes wildcards are supported, although I've just noticed that I can't find the documentation I thought I'd written on how to use them, so I've added a task for me to do that.

So here's quick start guide

1. You need to use dns-01 authentication
2. Which means you don't need the ACL= line in getssl.cfg
3. You need to add VALIDATE_VIA_DNS=true to your getssl.cfg file
4. You also need to add a DNS_ADD_COMMAND= line and a DNS_DEL_COMMAND= line in getssl.cfg and configure the correct script in the dns_scripts directory for your provider.
5. Then you just call ./getssl "*.exxoserver.co.uk"

An example config file is:

VALIDATE_VIA_DNS=true
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_dynu
DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_dynu
AUTH_DNS_SERVER=ns1.dynu.com
CHECK_ALL_AUTH_DNS="true"
SANS=""
# Certificate locations
DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"

# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="service nginx restart"

# Define the server type and confirm correct certificate is installed
SERVER_TYPE="https"
CHECK_REMOTE="true"

[exxosuk]

Thanks for your reply... I think some stuff is missing somewhere..

./getssl exxosserver.co.uk
exxosserver.co.uk: no certificate obtained from host
Registering account
Verify each domain
Verifying exxosserver.co.uk
./getssl: line 1242: /getssl/dns_scripts/dns_add_dynu: No such file or directory
getssl: DNS_ADD_COMMAND failed for domain exxosserver.co.uk

[timkimber]

Hi @exxosuk Your domain is hosted with 123reg who use cpanel. I have some dns update scripts which I'll upload tomorrow.  You need to replace /getssl in the DNS_ADD and DNS_DEL commands with the path to where you have installed getssl, maybe /root/getssl or /home/exxos/getssl?  Tim

…

________________________________ From: exxosuk <notifications@github.com> Sent: Monday, 1 March 2021 21:16 To: srvrco/getssl Cc: Tim Kimber; Assign Subject: Re: [srvrco/getssl] Wildcard support ? (#646) Thanks for your reply... I think some stuff is missing somewhere.. ./getssl exxosserver.co.uk exxosserver.co.uk: no certificate obtained from host Registering account Verify each domain Verifying exxosserver.co.uk ./getssl: line 1242: /getssl/dns_scripts/dns_add_dynu: No such file or directory getssl: DNS_ADD_COMMAND failed for domain exxosserver.co.uk — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or unsubscribe.

[exxosuk]

Thanks , I have no idea what these new scripts are all about :) Mine is in /root/.getssl

[pping]

@exxosuk https://github.com/srvrco/getssl/tree/master/dns_scripts

[exxosuk]

oh they must not have come down with the installer package.. will give them a try when I get back home on Monday.

[exxosuk]

Didn't have much luck copying the scripts over either :(

root@exxosserver:~# ./getssl exxosserver.co.uk
exxosserver.co.uk: no certificate obtained from host
Registering account
Verify each domain
Verifying exxosserver.co.uk
./getssl: line 1242: /root/.getssl/dns_scripts/dns_add_dynu: Permission denied
getssl: DNS_ADD_COMMAND failed for domain exxosserver.co.uk
root@exxosserver:~#

[timkimber]

Hi @exxosuk

I think you need to use the dns_add_cpanel / dns_del_cpanel scripts which I haven't finished writing yet (started a new job today), I'll try and find time to write up some instructions tomorrow

[exxosuk]

I think you need to use the dns_add_cpanel / dns_del_cpanel scripts which I haven't finished writing yet (started a new job today), I'll try and find time to write up some instructions tomorrow

Awesome :) Probably won't get chance this week to mess anyway, much going on, but hopefully I can continue setting up my server next week then :)

[timkimber]

@exxosuk I've pushed the change with the dns_add_cpanel and updated the main overview page with details of specifying a wildcard certificate. I'll add a quickstart guide with better instructions sometime next week.

[exxosuk]

Awesome, will go have a look :)

[exxosuk]

I'm not sure I really follow how this is supposed to work.. Is this CPANEL as in like the control panel which normal webhosts used ? As such, as I run my own Ubuntu server, its command line only, and the DNS server is with reg123.co.uk Where I just load in there what IP my server is at and the domain name.

Currently my test server is a fresh install of UBNTU20, with Apache2, PHP7 etc etc,

VALIDATE_VIA_DNS=true export CPANEL_USERNAME='' export CPANEL_URL='https://www.cpanel.host:2083' export CPANEL_APITOKEN='1ABC2DEF3GHI4JKL5MNO6PQR7STU8VWX9YZA' DNS_ADD_COMMAND=/home/root/getssl/dns_scripts/dns_add_cpanel DNS_DEL_COMMAND=/home/root/getssl/dns_scripts/dns_del_cpanel

[timkimber]

Hi @exxosuk

I've just very quickly written the following guide: https://github.com/srvrco/getssl/wiki/Guide-to-getting-a-certificate-for-example.com-and-www.example.com

Can you see if that helps?

Thanks

[exxosuk]

I think you have lost me totally :(

When it says

Creating a DNS record containing the challenge token (dns-01 verification)
To do this you need to tell getssl how to add and remove dns records for your domain

I don't see how a script running on my server can change DNS records as they are all done via reg123 which is outside the scope of my server (totally different companies) . I would imagine it would be a huge security flaw if reg123 allowed remove changing of DNS records. I also don't understand why it needs to do that in the first place ?

[timkimber]

Hi @exxosuk

I also don't understand why it needs to do that in the first place ?

You must be able to prove to Let's Encrypt that you control either the webserver or the DNS for your domain. For wildcard certificates, which could be for any webserver, you must prove that you control the DNS.

I've just re-read your comment from 2 days ago:

as I run my own Ubuntu server, its command line only, and the DNS server is with reg123.co.uk

Which I didn't read properly earlier. 123-reg don't provide any API or method to programmatically update the DNS records unless you also host your website with them, so the solution I've been suggesting won't work.

The easiest solution for you is probably to use acme-dns which requires you to create a DNS record once, which it then re-uses to do the Let's Encrypt challenge response.

The main details are at https://github.com/joohoi/acme-dns. It's possible to use this with getssl but it's not the simplest of solutions at the moment - I'm planning to change the integration tests to use this so the support will become better.

If you want a quick and easy solution, then the author of acme-dns has also written https://github.com/acme-dns/acme-dns-client which tells you what DNS entries to create and provides a plug-in to certbot to create the certificate.

acme.sh also has built-in support for acme-dns and might be an easier solution.

(I don't mind what client you use, so use whichever ACME client works the best for you)

[exxosuk]

ah ok thanks. I will probably just use yours and just not bother with subdomains, rather than starting again with another script. Yours was the only one I could get working anyway as I tried others before. If I had enough time to invest, I would look at another script, but just so much stuff I need to get done at the moment, I just don't have time to start over. But thanks for your support thusfar! I guess no big deal to just not use subdomains anyway.

[HerroBert]

Somewhere I saw a modus with an "immortal verificytion token" for dns. So put this string into dns forever and just call renew process.

Edit: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
but it's for HTTP

[pgoforth]

After issues related to wildcard certs on cPanel that ALSO apply to the root domain, I had to scrub the wildcard from the domain and issued a PR for it here

Generating wildcard certs will place the cert into a *.<domain> folder, then that folder name is used to run cpanel_cert_upload. Unfortunately, cPanel lists the wildcard domains by their root domain. Therefore, all subsequent scripts fail because they target the incorrect domain name (*.<domain> instead of <domain>) via the cPanel API.