Z
Zerops2mo ago
bravisek

Let's encrypt for subdomain wildcard

Hi, I need to have SSL certificate covering all subdomains. Usually should work "*.domain.name". But when I try it, I got "DomainName must be valid FQDN domain" error. Can you help me?
12 Replies
Michal Saloň
Michal Saloň2mo ago
Sadly this is one of the things in our TODO list. We currently support automatic Let's Encrypt certs, but not with wildcards, since that uses different authentication method. As a workaround, we do support CloudFlare proxy in front of Zerops, so you could direct *.some.tld to your IPv4 in Zerops and CloudFlare should handle the wildcard certificate (you will have to set CF SSL/TLS to Full but not Full (Strict)).
bravisek
bravisekOP2mo ago
OK, going to solve it this way. Thank you for helping me! So I need my own IPv4, right?
Michal Saloň
Michal Saloň2mo ago
Yes, I am not sure if it can be done with shared IPv4 and IPv6, since you would not have a fixed hostname for Zerops to recognize. To be fair, even my suggestion might not 100% work 🤔 @Jan Saidl can a person have a single app handle all HTTP traffic from all domains (basically CF sends any request to it's IP address with Host header that isn't registered in Zerops)? I think it could be possible through custom Nginx service, but now am not 100% sure about our L3.
bravisek
bravisekOP2mo ago
Now I'm scared 😁 It won't be a huge amount of traffic but it can be really any subdomain,
Michal Saloň
Michal Saloň2mo ago
Thing is, we have balancer (more an entry point for traffic from internet) for your project which might block the requests if the host header isn't one of the domains you listed. It's a valid feature, to prevent DoS of your services, but it could also block my suggestion. We want to support wildcard domains with certs, but I am not sure if we did make CF proxy version work, or didn't have time to do so yet.
bravisek
bravisekOP2mo ago
Understand. It makes sense, but I need to solve it asap. Sorry. Otherwise I have to bring back my own VPS. 🙈
Michal Saloň
Michal Saloň2mo ago
Might I ask for the reason why it might be "any" domain? Are you using, e.g. a domain per client? It would help us know our clients needs.
bravisek
bravisekOP2mo ago
Of course. It's very easy. Do you know bluesky? I need to verify community handles. Every handle means subdomain. And without SSL, every request gets 404 🤷🏼‍♂️ I wanted to move to Zerops. So I chose such an easy project to try it 🤣 Who could know it's a bad one 😁 Bad luck 🤷🏼‍♂️
Michal Saloň
Michal Saloň2mo ago
Yeah that is a very unfortunate way how BlueSky handles the handles :whelp: I guess we should try to check if there is some easier way to add DNS-01 challenge to support wildcard certificates. @Backend
bravisek
bravisekOP2mo ago
Okay, I have a solution. I'll stay here, cause it's ready to deploy and going to start o docker on some machine that will do the "checking" part on a wildcard. That's actually very easy. Thank you Michale 🤗 Dobrou
Jan Saidl
Jan Saidl2mo ago
Hi, unfortunately our L7 HTTP balancer does not currently support wildcard domains and their routing to the backend. I think we need some new features: 1. custom certificarte 2. wildcard domain routing 3. support DNS-01 challenge
Alexandre Paiva
Could be a solution if Zerops provides us one way of dynamically create/manage a whitelist of allowed subdomains (through a REST API accessible only within the project network maybe?) I'm thinking of creating this feature in my project too where users could create their own subdomains like username1.mydomain.com inside their user panel. I don't know if that's the best solution but it's an idea.

Did you find this page helpful?