Let's encrypt for subdomain wildcard
Hi, I need to have SSL certificate covering all subdomains. Usually should work "*.domain.name". But when I try it, I got "DomainName must be valid FQDN domain" error. Can you help me?
11 Replies
Sadly this is one of the things in our TODO list.
We currently support automatic Let's Encrypt certs, but not with wildcards, since that uses different authentication method.
As a workaround, we do support CloudFlare proxy in front of Zerops, so you could direct
*.some.tld to your IPv4 in Zerops and CloudFlare should handle the wildcard certificate (you will have to set CF SSL/TLS to Full but not Full (Strict)).OK, going to solve it this way. Thank you for helping me!
So I need my own IPv4, right?
Yes, I am not sure if it can be done with shared IPv4 and IPv6, since you would not have a fixed hostname for Zerops to recognize.
To be fair, even my suggestion might not 100% work 🤔
@Jan Saidl can a person have a single app handle all HTTP traffic from all domains (basically CF sends any request to it's IP address with Host header that isn't registered in Zerops)? I think it could be possible through custom Nginx service, but now am not 100% sure about our L3.
Now I'm scared 😁
It won't be a huge amount of traffic but it can be really any subdomain,
Thing is, we have balancer (more an entry point for traffic from internet) for your project which might block the requests if the host header isn't one of the domains you listed.
It's a valid feature, to prevent DoS of your services, but it could also block my suggestion.
We want to support wildcard domains with certs, but I am not sure if we did make CF proxy version work, or didn't have time to do so yet.
Understand. It makes sense, but I need to solve it asap. Sorry. Otherwise I have to bring back my own VPS. 🙈
Might I ask for the reason why it might be "any" domain? Are you using, e.g. a domain per client?
It would help us know our clients needs.
Of course. It's very easy. Do you know bluesky? I need to verify community handles.
Every handle means subdomain. And without SSL, every request gets 404 🤷🏼♂️
I wanted to move to Zerops. So I chose such an easy project to try it 🤣 Who could know it's a bad one 😁
Bad luck 🤷🏼♂️
Yeah that is a very unfortunate way how BlueSky handles the handles :whelp:
I guess we should try to check if there is some easier way to add
DNS-01 challenge to support wildcard certificates. @BackendOkay, I have a solution. I'll stay here, cause it's ready to deploy and going to start o docker on some machine that will do the "checking" part on a wildcard. That's actually very easy.
Thank you Michale 🤗 Dobrou
Hi, unfortunately our L7 HTTP balancer does not currently support wildcard domains and their routing to the backend. I think we need some new features:
1. custom certificarte
2. wildcard domain routing
3. support DNS-01 challenge