Re: certbot-service wildcard support

["Clément Lassieur" <clement@lassieur.org>]

Nils Gillmann <ng0@n0.is> writes:

> Clément Lassieur transcribed 847 bytes:
>> Nils Gillmann <ng0@n0.is> writes:
>> 
>> > Hi,
>> >
>> > recently letsencrypt added support for wildcard certificates.
>> >
>> > Since we concluded that it would be a good idea for Taler to
>> > just use that instead of roughly 30 - 40 subdomain certificates:
>> >
>> > Does our certbot-service support the wildcard functionality?
>> 
>> It doesn't, because it doesn't support DNS challenges.
>> 
>> I tried to add support for DNS challenges, but I stopped because my DNS
>> provider (Namecheap) doesn't have an API to update DNS records.  (Well,
>> it does, but the API has access to everything and I can't afford the
>> security risk.)
>> 
>> The problem with DNS challenges is that there is no universal way to
>> update the records.  It depends very much on the provider (unless you
>> host your DNS zone).
>
> How is that related? Or am I using certbot on Debian wrong? I simply added
> an entry manually. I don't even want a service to mess around with DNS, at
> least not unless it is required.
> Which in my experience it is not. You can add the entry manually, which is
> what we'd have done for taler.

Oh.  I though it had to be updated every three months, which is why I
wanted to automate it.  But if it has to be updated only once, then it's
not a problem.

>> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
>> in this.
>
> If you can tell me more about this, and why you think that software is
> required for this, then it would be in my responsibility to work on this.

It's just a tool that automates DNS records updating, but you won't need
it if the DNS record used by Certbot only needs to be updated once.