Letsencrypt Letsencrypt Offering Wildcard SSL Certificates Jan 2018 !

eva2000 · Jul 7, 2017

Letsencrypt folks announced that they will be planning on offering free wildcard SSL certificates via DNS validation from January 2018 Wildcard Certificates Coming January 2018 - Let's Encrypt - Free SSL/TLS Certificates !

Let’s Encrypt will begin issuing wildcard certificates in January of 2018. Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.

Let’s Encrypt is currently securing 47 million domains via our fully automated DV certificate issuance and management API. This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt’s service became available in December 2015. If you’re excited about wildcard availability and our mission to get to a 100% encrypted Web, we ask that you contribute to our summer fundraising campaign.

A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.

Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time. We encourage people to ask any questions they might have about wildcard certificate support on our community forums.
Click to expand...

eva2000 · Dec 17, 2017

can't wait - FYI less than 4 weeks to go when Letsencrypt offer's free Wildcard SSL certificates

bassie · Dec 17, 2017

I am not into Letsencrypt. Are there plans to expand the expiration date for Letsencrypt certificates?
90 days is too little for me

pamamolf · Dec 17, 2017

90 days is too little for me
Click to expand...

Yup that's what i don't like also about it but as Centminmod auto renew it then all ok

bassie · Dec 17, 2017

pamamolf said: ↑

Yup that's what i don't like also about it but as Centminmod auto renew it then all ok
Click to expand...

True.
But you do not structurally solve the problem of 90 days.

And for that you need an extra mechanism to automatically renew it.
Something you have to monitor as extra apart form all the rest.

As a result of Letsencrypt and so on, you could obtain a Comodo certificate for like $ 3.99 a year.

I will not mess around for a few dollars. Test sites or small sites (traffic) ok.
But I do not put Letsencrypt on business.

eva2000 · Dec 17, 2017

It's what I thought when I was first introduced to 90 day expiry SSL certificates, but now with more than a year using them with proper monitoring & automation in place, they aren't that bad. Generally they are auto renewed at 60 day mark so any failure to auto renew still gives you 30 days head room to figure out the problem if any.

But yes commercial SSL certs have also come down in price - especially domain validated ones thanks to introduced letsencrypt competition Hoping the same effect happens for commercial Wildcard SSL certificates when Letsencrypt starts issues free Wildcard SSL certficates

eva2000 · Jan 1, 2018

from Looking Forward to 2018 - Let's Encrypt - Free SSL/TLS Certificates public testing from January 4th, 2018 and full launch on Feb 27, 2018

First, we’re planning to introduce an ACME v2 protocol API endpoint and support for wildcard certificates along with it. Wildcard certificates will be free and available globally just like our other certificates. We are planning to have a public test API endpoint up by January 4, and we’ve set a date for the full launch: Tuesday, February 27.
Click to expand...

bassie · Jan 2, 2018

Nice catch. BTW double post about the full launch of wild-card certs?

Letsencrypt - Letsencrypt Offering Wildcard SSL Certificates Jan 2018 !

and

Letsencrypt - SSL - Letsencrypt SSL Certificate Market Share #2

eva2000 · Jan 2, 2018

Yeah different starting topics

eva2000 · Jan 3, 2018

@bassie i believe this is official letsencrypt project tracker for Acme v2 API development which is required to switch on wildcard ssl cert issuance on staging API at least first v2 API · GitHub

eva2000 · Jan 6, 2018

Letsencrypt ACME v2 API endpoint ready for public testing Let's Encrypt on Twitter

from

We’re happy to announce that our ACME v2 staging endpoint is now available for public testing. You can begin testing ACME v2 support for your client using the following directory URL:

https://acme-staging-v02.api.letsencrypt.org/directory

Remember that since the staging environment root certificate22 is not present in browser/client trust stores this endpoint is inappropriate for production use. A production ready v2 API endpoint will be available February 27th.15

We look forward to working with ACME client developers to prepare for ACME v2 and wildcard issuance ahead of our full launch.

Edit: We’re collecting reported bugs/known issues in this forum thread29

Background
Let’s Encrypt and the ACME standard have evolved side-by-side since our launch. As the draft has moved through the IETF standardization process we accumulated a number of divergences5 where the specification changed in non-backwards-compatible ways. Now that the draft standard is in last-call and the pace of major changes has slowed, we’re able to release a “v2” API that is much closer to what will become the final ACME RFC. We may plan to sunset the v1 API at some point in the future, but have not set a date. We will give plenty of advance warning to clients and integrators for any such plan.

Existing Accounts
Existing ACME accounts from the v1 API will work with the v2 API. Existing authorizations from the v1 API will not be usable with the v2 API, meaning that you will have to reauthorize all domains prior to issuance with the v2 API (note: this is not currently implemented in the staging API, so you may see some reuse there).

Rate limits
The existing staging environment rate limits11 still apply for the V2 API. There’s one new rate limit, Pending Orders Per Account. One ACME account can have no more than 300 pending orders outstanding at a time.

Client compatibility
This is a non-backward-compatible version of the API, so ACME v1 clients (almost all clients available today) will not work with the ACME v2 endpoint. Existing clients will need code changes and new releases in order to support ACME v2.

Certbot is not yet ACME v2 compatible. We expect Certbot to support ACME v2 by February 27. To date, only
ACME4J41 has implemented ACME v2. Please start a new thread in the “client dev” category on the forum 22 to let us know if your ACME client has added v2 support! We will soon start marking ACME v2 compatible clients in our list of available ACME clients.34

If you use an ACME v1 client with the ACME v2 API you will likely receive errors about an incompatible /directory response, perhaps mentioning missing endpoints (new-reg, new-authz, etc). To reiterate, ACME v1 clients will not work with ACME v2 without code changes.

Wildcard certificates
The V2 API supports issuing wildcard certificates. To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request. Wildcard identifiers may only be authorized by DNS-01 challenge, so order authorizations corresponding to wildcard identifiers will only include a pending DNS-01 challenge. DNS names in certificates may only have a single wildcard character, and it must be the entire leftmost DNS label, for instance “*.example.com”. A single certificate can have wildcard DNS identifiers for multiple base domains.
Click to expand...

acme.sh client used for addons/acmetool.sh is also starting to test ACME v2 API neilpangxa on Twitter

from Now acme.sh speaks ACME v2

Hi Guys,

acme.sh3 speaks ACME v2 now.

It speaks both v1 and v2 automatically.

Limitations:

Wildcard is on its way, just wait a moment.

Tls-02 and revocation and some other feature is not working yet, due to the known bugs of boulder : ACME v2 Staging Server: Known Bugs/Issues

Click to expand...

bassie · Jan 28, 2018

Someone already generated some Letsencrypt Wildcard Certificates?
I'm curious about the experience.

eva2000 · Jan 28, 2018

Haven't gotten that far yet for Centmin Mod integration at least as it's trickier to automate for nginx vhost generation because

DNS validation only so not all DNS providers via API are supported in acme.sh though alot of most common are

acme.sh has additional requirement of passing main domain name to command line for wildcard i.e. -d domain.com -d *.domain.com

current centmin mod nginx vhost routines are tied to creation of a specific domain or subdomain name when passing parameters from addons/acmetool.sh to underlying acme.sh client so will need to work out some logic for nginx vhost routines when you try creating several subdomains off of the same domain i.e. sub1.domain.com, sub2.domain.com and sub3.domain.com. Traditional SSL wildcard would be fine with just using *.domain.com for common name. But with acme.sh I would need to manage required domain.com, *.domain.com and subX.domain.com for each subdomain. Ideally, I would like to see future acme.sh client remove the main domain requirement so can create SSL wildcard like traditional ones with just common name set to = *.domain.com

Edit: ooh just checked, new feature Support one wildcard domain only in a cert · Issue #1188 · Neilpang/acme.sh · GitHub

bassie · Jan 28, 2018

Nice to see your enthusiasm

Woah how did I miss this !
Click to expand...

bassie · Jan 29, 2018

@eva2000 already been able to obtain wildcard certificates?
Seems as the code to start is pushed to the Github branch. > support only one wildcard domain. · Neilpang/acme.sh@e6cda79 · GitHub

bassie · Feb 25, 2018

Ok. Support for wildcard certificates is set for the full launch: Tuesday, February 27. That is upcoming Tuesday. But. The reason I don't use Letsencrypt is in the bottom one.

Later in 2018 we plan to introduce ECDSA root and intermediate certificates. ECDSA is generally considered to be the future of digital signature algorithms on the Web due to the fact that it is more efficient than RSA. Let’s Encrypt will currently sign ECDSA keys from subscribers, but we sign with the RSA key from one of our intermediate certificates. Once we have an ECDSA root and intermediates, our subscribers will be able to deploy certificate chains which are entirely ECDSA.
Click to expand...

eva2000 · Feb 25, 2018

Good news though yeah a full complete ECDSA certificate chain is the only thing missing

bassie · Feb 25, 2018

eva2000 said: ↑

though yeah a full complete ECDSA certificate chain is the only thing missing
Click to expand...

Exactly.
Letsencrypt - ECDSA is more important and more important for several facets than
Wildcard SSL Certificates. As you already can obtain SSL Certificates for all the sub domains that you want.

That is why I honestly do not understand that wildcards have been given more priority. Then a full complete ECDSA certificate chain

eva2000 · Feb 25, 2018

well progress and perfection take time

bassie · Mar 2, 2018

As ACMEv2 and Wildcard Launch is delayed.
Can someone confirm that the public test API endpoint is still up and running?
Want a wildcard cert for a test project.

Log in / Register

Forums

Discover Centmin Mod today

Letsencrypt Letsencrypt Offering Wildcard SSL Certificates Jan 2018 !

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

bassie Active Member

pamamolf Well-Known Member

bassie Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

bassie Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

bassie Active Member

eva2000 Administrator Staff Member

bassie Active Member

bassie Active Member

bassie Active Member

eva2000 Administrator Staff Member

bassie Active Member

eva2000 Administrator Staff Member

bassie Active Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

Letsencrypt Letsencrypt Offering Wildcard SSL Certificates Jan 2018 !

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

bassie Active Member

pamamolf Well-Known Member

bassie Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

bassie Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

bassie Active Member

eva2000 Administrator Staff Member

bassie Active Member

bassie Active Member

bassie Active Member

eva2000 Administrator Staff Member

bassie Active Member

eva2000 Administrator Staff Member

bassie Active Member

.