[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: certbot-service wildcard support
From: |
Nils Gillmann |
Subject: |
Re: certbot-service wildcard support |
Date: |
Sat, 4 Aug 2018 10:08:02 +0000 |
Clément Lassieur transcribed 1.7K bytes:
> Nils Gillmann <address@hidden> writes:
>
> > Clément Lassieur transcribed 847 bytes:
> >> Nils Gillmann <address@hidden> writes:
> >>
> >> > Hi,
> >> >
> >> > recently letsencrypt added support for wildcard certificates.
> >> >
> >> > Since we concluded that it would be a good idea for Taler to
> >> > just use that instead of roughly 30 - 40 subdomain certificates:
> >> >
> >> > Does our certbot-service support the wildcard functionality?
> >>
> >> It doesn't, because it doesn't support DNS challenges.
> >>
> >> I tried to add support for DNS challenges, but I stopped because my DNS
> >> provider (Namecheap) doesn't have an API to update DNS records. (Well,
> >> it does, but the API has access to everything and I can't afford the
> >> security risk.)
> >>
> >> The problem with DNS challenges is that there is no universal way to
> >> update the records. It depends very much on the provider (unless you
> >> host your DNS zone).
> >
> > How is that related? Or am I using certbot on Debian wrong? I simply added
> > an entry manually. I don't even want a service to mess around with DNS, at
> > least not unless it is required.
> > Which in my experience it is not. You can add the entry manually, which is
> > what we'd have done for taler.
>
> Oh. I though it had to be updated every three months, which is why I
> wanted to automate it. But if it has to be updated only once, then it's
> not a problem.
The DNS entry is added once and that's it, at least from memory, and from my
experience that none of my certs cried for help so far.
> >> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
> >> in this.
> >
> > If you can tell me more about this, and why you think that software is
> > required for this, then it would be in my responsibility to work on this.
>
> It's just a tool that automates DNS records updating, but you won't need
> it if the DNS record used by Certbot only needs to be updated once.
Okay. So basically it could work as-is, or is there some programming work
to be done for support entries like "*.taler.net"?
Thanks