28

I have an attractive message indicating me that it is unfortunately not possible to generate a certificate for multiple subdomains:

Wildcard domains are not supported: *.mynewsiteweb.com

On the other hand it would be possible to generate it one by one for each subdomain.

Is there a better solution? Thank you :)



Edit

Now Certbot supports the Wildcard since 0.22.0 version (2018-03-07)

Links

Thanks

Breith
  • 2,160
  • 1
  • 23
  • 32

5 Answers5

17

Prior to support for wildcards I found it necessary to explicitly list each domain on a certificate in the form

… -d example.com -d www.example.com -d blog.example.com -d www.blog.example.com …

(which due to complexities in the odd mix of redirected domains I'm using worked best with the --webroot authentication).

Thanks to Trojan's explanation and documentation here:

https://certbot.eff.org/docs/install.html?highlight=wildcard

I was able to generate wildcard certs that are live now. Unfortunately there is not a plugin for EasyDNS.com yet, so I had to perform manual validation (Where Trojans example saved the day). With this approach I was able to generate a certificate in the form 

… -d *.example.com -d example.com -d *.blog.example.com …

Since (for example's sake) blog.example.com was already covered by the *.example.com wildcard, I only had to add the wildcard for *.blog.example.com. In fact certbot would not allow redundancy (complained if I tried to include both *.example.com and www.example.com).

Currently available plug-ins are listed here:

https://certbot.eff.org/docs/using.html#dns-plugins

As of this writing they include these DNS providers:

  • certbot-dns-cloudflare
  • certbot-dns-cloudxns
  • certbot-dns-digitalocean
  • certbot-dns-dnsimple
  • certbot-dns-dnsmadeeasy
  • certbot-dns-google
  • certbot-dns-luadns
  • certbot-dns-nsone
  • certbot-dns-rfc2136
  • certbot-dns-route53

Perhaps I'll take a peek over the weekend and see how hard it is to write a plug-in for my own DNS provider.

Jay Riley
  • 186
  • 1
  • 4
10

it is unfortunately not possible to generate a certificate for multiple subdomains

Not true. It is possible to generate a cert for multiple sub-domains. Just include those subdomains in the configuration file by their names:

domains = example.org, www.example.org, sub.example.org, www.sub.example.org

Then run certbot with the configuration file:

certbot-auto -c config.ini

You will have to verify ownership for each domain.

See more about configuration file.

Jahid
  • 21,542
  • 10
  • 90
  • 108
  • Is there a way to get a certificate for a wildcard subdomain i.e. *.mydomain.com which will work for all subdomain that i put it. – vinit May 01 '17 at 06:15
  • @vinit : Last time I checked wildcard domain isn't supported by letsencrypt – Jahid May 01 '17 at 06:18
  • Yeah, i also checked on their community forum. This questions was responded negatively 1 month back. I wonder if we can do anything to help. – vinit May 01 '17 at 11:18
  • 1
    @vinit - https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html – Dominik Späte Aug 14 '17 at 00:28
9

Wildcard domains are now supported by certbot (from ver. 0.22)

Domain will have to be validated via DNS (you will have to add _acme-challenge.yourdomain.tld TXT record to your DNS entry with random generated value)

Example:

certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d *.example.pl --manual --preferred-challenges dns-01 certonly
trojan
  • 1,465
  • 19
  • 27
8

I just went through the process of generating a single Let's Encrypt certificate for multiple subdomains. There were some minor challenges that I encountered and resolved. I posted a short article in the link below explaining the leasons learned I gained when installing Let's Encrypt digital certificates on my Apache web server which provides HTTP and HTTPS access to multiple subdomains.

My most important "lesson learned" is that you need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS. IMPORTANT: Each VirtualHost definition must be specified in a single configuration file. The Let's Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. The dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is absolutely necessary for digital certificates to be successfully generated by the Let's Encrypt certbot.

Web Server Conf Files

Then you can run the following command to generate the certificate:

certbot certonly -d example.com -d www.example.com

https://www.hueyise.com/index.php/letsencrypt

Chris Huey
  • 91
  • 1
  • 3
  • Think's, but your link return : ERR_CONNECTION_TIMED_OUT – Breith Mar 12 '17 at 19:09
  • 2
    @ChrisHuey Welcome to SO. This looks like a great answer, but could be improved by copying the salient points into your answer. This helps prevent link rot, so that the answer is still good even if the site is down. It's fine to still leave the link to your original source though! :) – StackExchange What The Heck Mar 12 '17 at 19:32
  • Separate file for https and http or separate file for each domain? Can someone validate the port 999s necessity – Cybermonk Dec 05 '18 at 03:35
2

Lets Encrypt SSL Wildcard/multiple subdomain support will be available starting from February 27, 2018 officially.

We introduced a public test API endpoint for the ACME v2 protocol and wildcard support on January 4, 2018. ACME v2 and wildcard support will be fully available on February 27, 2018

Source: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Ozzy Tashtepe
  • 49
  • 2