certbot-service wildcard support

certbot-service wildcard support

[Nils Gillmann]

Hi,

recently letsencrypt added support for wildcard certificates.

Since we concluded that it would be a good idea for Taler to
just use that instead of roughly 30 - 40 subdomain certificates:

Does our certbot-service support the wildcard functionality?

Re: certbot-service wildcard support

[Clément Lassieur]

Nils Gillmann <ng0@n0.is> writes:

> Hi,
>
> recently letsencrypt added support for wildcard certificates.
>
> Since we concluded that it would be a good idea for Taler to
> just use that instead of roughly 30 - 40 subdomain certificates:
>
> Does our certbot-service support the wildcard functionality?

It doesn't, because it doesn't support DNS challenges.

I tried to add support for DNS challenges, but I stopped because my DNS
provider (Namecheap) doesn't have an API to update DNS records.  (Well,
it does, but the API has access to everything and I can't afford the
security risk.)

The problem with DNS challenges is that there is no universal way to
update the records.  It depends very much on the provider (unless you
host your DNS zone).

I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
in this.

Clément

Re: certbot-service wildcard support

[Nils Gillmann]

Clément Lassieur transcribed 847 bytes:
> Nils Gillmann <ng0@n0.is> writes:
> 
> > Hi,
> >
> > recently letsencrypt added support for wildcard certificates.
> >
> > Since we concluded that it would be a good idea for Taler to
> > just use that instead of roughly 30 - 40 subdomain certificates:
> >
> > Does our certbot-service support the wildcard functionality?
> 
> It doesn't, because it doesn't support DNS challenges.
> 
> I tried to add support for DNS challenges, but I stopped because my DNS
> provider (Namecheap) doesn't have an API to update DNS records.  (Well,
> it does, but the API has access to everything and I can't afford the
> security risk.)
> 
> The problem with DNS challenges is that there is no universal way to
> update the records.  It depends very much on the provider (unless you
> host your DNS zone).

How is that related? Or am I using certbot on Debian wrong? I simply added
an entry manually. I don't even want a service to mess around with DNS, at
least not unless it is required.
Which in my experience it is not. You can add the entry manually, which is
what we'd have done for taler.

> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
> in this.

If you can tell me more about this, and why you think that software is
required for this, then it would be in my responsibility to work on this.

> Clément

Thanks

Re: certbot-service wildcard support

[Clément Lassieur]

Nils Gillmann <ng0@n0.is> writes:

> Clément Lassieur transcribed 847 bytes:
>> Nils Gillmann <ng0@n0.is> writes:
>> 
>> > Hi,
>> >
>> > recently letsencrypt added support for wildcard certificates.
>> >
>> > Since we concluded that it would be a good idea for Taler to
>> > just use that instead of roughly 30 - 40 subdomain certificates:
>> >
>> > Does our certbot-service support the wildcard functionality?
>> 
>> It doesn't, because it doesn't support DNS challenges.
>> 
>> I tried to add support for DNS challenges, but I stopped because my DNS
>> provider (Namecheap) doesn't have an API to update DNS records.  (Well,
>> it does, but the API has access to everything and I can't afford the
>> security risk.)
>> 
>> The problem with DNS challenges is that there is no universal way to
>> update the records.  It depends very much on the provider (unless you
>> host your DNS zone).
>
> How is that related? Or am I using certbot on Debian wrong? I simply added
> an entry manually. I don't even want a service to mess around with DNS, at
> least not unless it is required.
> Which in my experience it is not. You can add the entry manually, which is
> what we'd have done for taler.

Oh.  I though it had to be updated every three months, which is why I
wanted to automate it.  But if it has to be updated only once, then it's
not a problem.

>> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
>> in this.
>
> If you can tell me more about this, and why you think that software is
> required for this, then it would be in my responsibility to work on this.

It's just a tool that automates DNS records updating, but you won't need
it if the DNS record used by Certbot only needs to be updated once.

Re: certbot-service wildcard support

[Nils Gillmann]

Clément Lassieur transcribed 1.7K bytes:
> Nils Gillmann <ng0@n0.is> writes:
> 
> > Clément Lassieur transcribed 847 bytes:
> >> Nils Gillmann <ng0@n0.is> writes:
> >> 
> >> > Hi,
> >> >
> >> > recently letsencrypt added support for wildcard certificates.
> >> >
> >> > Since we concluded that it would be a good idea for Taler to
> >> > just use that instead of roughly 30 - 40 subdomain certificates:
> >> >
> >> > Does our certbot-service support the wildcard functionality?
> >> 
> >> It doesn't, because it doesn't support DNS challenges.
> >> 
> >> I tried to add support for DNS challenges, but I stopped because my DNS
> >> provider (Namecheap) doesn't have an API to update DNS records.  (Well,
> >> it does, but the API has access to everything and I can't afford the
> >> security risk.)
> >> 
> >> The problem with DNS challenges is that there is no universal way to
> >> update the records.  It depends very much on the provider (unless you
> >> host your DNS zone).
> >
> > How is that related? Or am I using certbot on Debian wrong? I simply added
> > an entry manually. I don't even want a service to mess around with DNS, at
> > least not unless it is required.
> > Which in my experience it is not. You can add the entry manually, which is
> > what we'd have done for taler.
> 
> Oh.  I though it had to be updated every three months, which is why I
> wanted to automate it.  But if it has to be updated only once, then it's
> not a problem.

The DNS entry is added once and that's it, at least from memory, and from my
experience that none of my certs cried for help so far.

> >> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
> >> in this.
> >
> > If you can tell me more about this, and why you think that software is
> > required for this, then it would be in my responsibility to work on this.
> 
> It's just a tool that automates DNS records updating, but you won't need
> it if the DNS record used by Certbot only needs to be updated once.

Okay. So basically it could work as-is, or is there some programming work
to be done for support entries like "*.taler.net"?

Thanks

Re: certbot-service wildcard support

[Clément Lassieur]

Nils Gillmann <ng0@n0.is> writes:

>> It's just a tool that automates DNS records updating, but you won't need
>> it if the DNS record used by Certbot only needs to be updated once.
>
> Okay. So basically it could work as-is, or is there some programming work
> to be done for support entries like "*.taler.net"?

There is some work to do so that the --webroot option is not used
(instead another option should be used I guess) and the Nginx service is
not run.  I think entries like "*.taler.net" should be supported by the
service.

Thank you for working on it :-)  I'd love to use the wildcard
certificate.