Topic: Letsencrypt wildcard certs

[ReetP]

Not sure how to deal with this when it occurs, but FYI

https://m.theregister.co.uk/2017/07/06/free_wildcard_ssl_certs_lets_encrypt/

[Jean-Philippe Pialasse]

I think this could simplify for us.
As an example you might have set your dns for the main domain to your server domain.com and www.domain.com, while you might have forgoten to set ftp.domain.com, mail.domain.com of servername.domain.com or any domain you want to use only internally but not widely for the web.

The thing we must look at is more the changing protocol, and the impact on dehydrated, as it is still lacking some support (like logging and canceling pending request, which have a limit, while failure in the middle of validation of 80 domains because of one domain will leave these requests pending and next launch will start over, not even trying to fulfill or cancel the previous requests.

Good news with wildcard you will be able to skip hosts list and have a smaller list of domain to include

[DanB35]

I think this could simplify for us.

I don't think so, on balance.  On the one hand, we'd only need to validate the domain, not all the individual hostnames (www., mail., ftp., etc.).  On the other hand, though, they're only going to be permitting this using DNS validation, which poses a problem for us.  HTTP-01 validation is easy to automate across most of our installation, since most of them act as web servers.  We know what the web root location is, so we can easily put the validation tokens in there.  The DNS validation requires the script to update your DNS records, and many DNS hosts don't implement an easy way of doing this.  Of the hosts who do implement such a method, the methods vary widely from host to host.

There's a separate script (lexicon) that handles many of these different methods, but it still requires a good bit of configuration.