-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add wildcard support via DNS-01 challenge #189
Comments
Actually, there may have been some confusion. My work did not enable wildcard certificates nor did I test that functionality. Wildcard functionality would require that we use DNS-01 challenge:
Source: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579 Right now, we use a simple document root (HTTP) challenge. Using a DNS-01 challenge would be difficult to implement in a user friendly way. First, we'd have to require that users setup configuration (similar to email address) for what DNS provider to use and the credentials to that provider. We'd also need a configuration flag to be set to tell the plugin to use wildcard certificates. Without the flag set, the plugin would default to the current method. Finally, if a user sets the wildcard flag but not the DNS provider configuration settings (for example, if their domain's DNS isn't a supported provider), we'll need to tell the user to set the DNS record manually then prompt them to continue the process. And also consider that certificates are still handled on a per app basis meaning you would be creating several different wildcard certs unless that is changed too. I'm not at all sure it would be worth it. It would be easier to create your own letsencrypt wildcard cert then use the certs command to associate it with all your apps yourself. |
Wildcard certs aren't supported (freely) by Cloudflare so I was hoping to setup on on Dokku directly but figured they don't seem to be supported. |
@iplanwebsites is this something you'd be interested in sponsoring? Otherwise, pull requests are always welcome! |
There is another ACME solution which offers integration with multiple DNS providers to update the DNS records for wildcard domains. Only then we would need to switch I am not sure if this is something we would like to do? |
👍 for wildcard support. Perhaps a bounty could be setup? I'd chip in. |
I’m using wildcard without issues.. |
@CyberMew Do you know if support for wildcard from LetsEncrypt is a recent thing? Or know of a resource that specifies how to do that? My devops guy thinks it can't be done. |
This should be more easily possible once #220 gets merged, but someone still needs to figure out env var support and configuration for the dns based solution. |
What does environment variable support mean in this context? |
I looked through some blog posts. I'm probably going to follow this one, but with a list of apps rather than a single app. https://petr.codes/blog/dokku/wildcard-certificate/ |
We need a way to set arbitrary properties - basically the same as the kubernetes scheduler- and then a way to set the dns provider. That will then let us automate it via dns. |
@archonic sorry for the late reply. I was using this https://github.com/josegonzalez/dokku-global-cert |
DNS-01 challenge is also very interesting for when running Dokku inside a VPN (but you still want to use HTTPS). |
Note
As of 0.12.0, dokku-letsencrypt will be in a position to add dns-01 challenge support. That said, it'll still need work to enable the environment variable support needed. Until someone volunteers or sponsors the work, wildcard support is not officially supported by this plugin.
Original Post
Thanks to @dean1012 for handling the upgrade to ACMEv2 in #184. Judging by the closing of #147 I thought that wildcard certs would be working, but when I add a wildcard domain to my app and try to letsencrypt, I consistently get a TimeoutError. Could someone else confirm that they get the same behavior?
The text was updated successfully, but these errors were encountered: