Letsencrypt - Now Wildcard Ready!

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Letsencrypt - Now Wildcard Ready!

Post by Dravion » 2018-03-23 07:42

Finally, ACME 2.0 is out and now we can enjoy one SSL-Certificate for all Subdomains instead of issuing or inserting every single host name
in one or multiple cert requests.

Let’s Encrypt takes free “wildcard” certificates live
https://arstechnica.com/information-tec ... ates-live/

But there is a little limitation, but iam absolutely fine with it
Yes, wildcard certs only work for direct subdomains, as you’ve noticed. If you wanted a cert to work on literally.nothing.works.wtf, you would need to get a cert for *.nothing.works.wtf. If you also want to serve stuff on a subdomain of works.wtf, you could also add *.works.wtf to the certificate

tunis
Senior user
Senior user
Posts: 256
Joined: 2015-01-05 20:22
Location: Sweden

Re: Letsencrypt - Now Wildcard Ready!

Post by tunis » 2018-03-23 17:55

You can only use DNS "TXT" record to verify.
In addition to the ACME v2 requirement, requests for wildcard certificates require the modification of a Domain Name Service "TXT" record to verify control over the domain.
HMS 5.6.8 B2494.25 on Windows Server 2019 Core VM.
HMS 5.6.8 B2505.27 on Windows Server 2016 Core VM.
HMS 5.6.7 B2425.16 on Windows Server 2012 R2 Core VM.

User avatar
katip
Senior user
Senior user
Posts: 779
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Letsencrypt - Now Wildcard Ready!

Post by katip » 2018-03-23 18:58

tunis wrote:
2018-03-23 17:55
You can only use DNS "TXT" record to verify.
In addition to the ACME v2 requirement, requests for wildcard certificates require the modification of a Domain Name Service "TXT" record to verify control over the domain.
any idea how TXT must look like?
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Letsencrypt - Now Wildcard Ready!

Post by jimimaseye » 2018-03-23 19:43

katip wrote:any idea how TXT must look like?
This site https://www.sslforfree.com/ guides you through a wizard and shows you what the DNs TXT records are to look like (if you choose that option)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Letsencrypt - Now Wildcard Ready!

Post by Dravion » 2018-03-24 23:51

DNS TXT RR Records are the leat problematic ones. You simply can set any free text you want but ACME 2.0 needs a specficic TXT value. The benefit is, you can renew your ceets without setting up a vhost on your Webserver or specific folder structure.

RBoy
New user
New user
Posts: 26
Joined: 2018-12-04 04:28

Re: Letsencrypt - Now Wildcard Ready!

Post by RBoy » 2020-05-18 17:26

Does do you hMailServer to bind to the SSL certificate generated by Win Acme V2? It seems to generate a new certificate filename each time it renews the domain.

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Letsencrypt - Now Wildcard Ready!

Post by Dravion » 2020-05-18 19:28

RBoy wrote:
2020-05-18 17:26
Does do you hMailServer to bind to the SSL certificate generated by Win Acme V2? It seems to generate a new certificate filename each time it renews the domain.
This is not an easy task to do because the issuing Letsencrypt ACME v2 Server checks your Host name while processing your SSL-Certificate request.
This means, you can only receive a SSL-Certificate from Letsencrypt for *.mydomain.com if your hMailServer is also running on the public internet on *.mydomain.com
if you do it the right way.

The steps:
1) It only works if hMailServer runs on a Public Internet Domain (on NAT-Router cases , it can only work with port forwarding resolvable by a Public DNS-Server.
2) It will only work, if we implement a HTTP-Server in hMailServer on port 80 (unencrypted) because the issuing Letsencrypt server will check for it.
3) It will only work, if we implement also ACME v2 in hMailServer which can interfaces with hMailServers internal HTTP-Server on port 80
4) All above steps needs to be repeated every 90 Days to renew the outdated SSL-Certificates

Post Reply