Welcome to Centmin Mod Community
Register Now

SSL Letsencrypt Wildcard Cert Issue, Renew, and Best Practices

Discussion in 'Domains, DNS, Email & SSL Certificates' started by jcstudio, Feb 10, 2024.

  1. jcstudio

    jcstudio New Member

    5
    1
    3
    Jul 12, 2020
    Tahlequah, OK
    Ratings:
    +3
    Local Time:
    4:23 AM
    1.19.1
    10.5
    I've been trying to find the best practices around setting up and renewing Wildcard SSL certs via acme.sh but I'm not finding a clear explanation on how that can be done from within the framework (#2, #22, etc.). I was wondering if asking for *.newdomain.com from the cli using nv or #2 or #22 would be sufficient to issue a Wildcard cert that you can point other vhosts to later?

    The issue that I'm seeing is that we will have www. ftp. mail. sftp. phpmyadmin. etc... and issuing a different cert for each subdomain isn't supported "in the box". I thought it could be supported with a script that allows people to define their domain and all of their subdomains which would give Letsencrypt the info needed to issue a SAN multi-domain cert or issue a Wildcard but either way it needs to be automatically renewed and how you use it should be laid out so we'll know how to point nginx vhosts to it and other applications that need it like email servers, sftp servers, etc.


    If this is all explained somewhere please share the link but I couldn't find it hence the post. Thank you!
     
  2. eva2000

    eva2000 Administrator Staff Member

    52,653
    12,070
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,596
    Local Time:
    7:23 PM
    Nginx 1.25.x
    MariaDB 10.x
    Centmin Mod's native centmin.sh menu option 2, 22, nv commands or addons/acmetool.sh for Nginx vhost setup or Wordpress install as outlined at Letsencrypt Free SSL Certificates only issue free Letsencrypt SSL certificates on a per hostname basis instead of a single wildcard for easier automation.

    One reason why I went per hostname issuance is that Letsencrypt requires wildcard SSL certificates to use DNS TXT record domain validation and not usual easier domain control validation (DCV) via domain.com/.well-known/* which I can automate for.

    So the average Centmin Mod user isn't going to be in a position to do domain DNS API validation via Centmin Mod's addons/acmetool.sh which uses acme.sh client and is what all centmin.sh menu option 2, 22 and nv commands use for Letsencrypt. I do have test scripts in development for a separate Letsencrypt SSL wildcard mode (mainly for Cloudflare DNS API setups) for Nginx vhost creations. But as they all required DNS API domain validation, it isn't something I have been prepared to release unless I am willing to for free hand hold each user and guide them through possible 100s of DNS provider's API configurations to automate Letsencrypt SSL wildcard issuance :)

    Technically, Centmin Mod can manually do SSL wildcards and DNS API validation (supported via Cloudflare DNS and optionally via a few hidden settings for other domain DNS providers). Centmin Mod officially only supports Cloudflare DNS API for per hostname validations Letsencrypt Free SSL Certificates But if you know how to do it manually via underlying acme.sh used by Centmin Mod with other domain DNS provider's respective API configurations, you can technically do it for any acme.sh supported DNS providers outlined at dnsapi - 159 DNS providers currently listed. Here's an manual example of creating Centmin Mod Nginx vhost with Letsencrypt SSL Wildcard certificate using Cloudflare DNS API and manually setting up Nginx vhost changes at centmin mod wildcard letsencrypt ssl cert with cloudflare token based api. No free support is provided by me, so you'd be on your own or you can hire me for $$$ :)

    The closest you can come to multiple hostname based Letsencrypt SSL certificates is via /usr/local/src/centminmod/addons/acmetool.sh command line method outlined in thread at https://community.centminmod.com/th...ing-thread-for-centmin-mod-123-09beta01.8290/ - specifically for SANS Multi-Domain SSL Certificates which would require you to know before hand all the hostnames you want covered by the auto issued Letsencrypt SSL certificate.

     
  3. eva2000

    eva2000 Administrator Staff Member

    52,653
    12,070
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,596
    Local Time:
    7:23 PM
    Nginx 1.25.x
    MariaDB 10.x
    Reason this hasn't come up for Centmin Mod is, that it doesn't provide smtp inbound mail servers so requiring SSL certificate that is domain validated on Centmin Mod isn't required as well. Those functions/features would usually be handled by 3rd party @domain mail providers like Google Workspace, MXRoute, Microsoft 365, Zoho Mail etc