Using the DNS-01 Challenge to obtain a wildcard certificate on Letsecnrypt
2 minute reading time
Letsencrypt lets anyone get a free SSL certificate in an easily automated way. It verifies that the user is allowed to issue a certificate for that domain by issuing a challenge. Lets say that I want a certificate for
exampledomain.com. The defaults for most clients is to use the
HTTP-01 challenge. This requires that we have a webserver installed on that domain running on port 80. As part of the challenge, the Letsencrypt client will drop a file within the appropriate webserver folder so that it gets served at
http://exampledomain.com/.well-known/acme-challenge/<token>. For example on
nginx this could be at
/var/www/exampledomain.com/.well-known/acme-challenge/<token>. The Letsencrypt server will then verify that the file exists before issuing the certificate.
This easily works for one domain, but what if we have many sub-domains we want added to the certificate? With the
HTTP-01 challenge, we need to test each sub-domain individually. Alternatively, we can use the
DNS-01 challenge to get issued a wildcard certificate. With one wildcard certificate (e.g
*.exampledomain.com) we can secure
b.exampledomain.com and many more!
Letsecnrypt verifies that the user is allowed to claim all these subdomains, by seeing if the user has access to the DNS zone file for that domain. The idea is that if the user is able to change the DNS anyways, then the user could’ve gone through the process of installing a webserver at that IP. With access to the DNS zone file, the user would have to create a
Now this process could be done manually on Certbot by using the
--manual flag. However, in the spirit of automation, there are many plugins existent to help streamline the process. This list of DNS providers shows which provider supports this feature and in what clients.
If your provider isn’t supported on this list, not all hope is lost. Under the manual plugin one can use the hooks
--manual-cleanup-hook to execute external scripts to access the DNS provider’s API.
This wiki page for Certbot shows the list of supported providers and how to structure the command line arguments. For example, I use
Nginx as my webserver and Linode as my DNS nameserver.
certbot certonly \ --dns-linode \ --dns-linode-credentials ~/.secrets/certbot/linode.ini \ -d *.exampledomain.com