Let's encrypt for subdomain wildcard
Hi, I need to have SSL certificate covering all subdomains. Usually should work "*.domain.name". But when I try it, I got "DomainName must be valid FQDN domain" error. Can you help me?
40 Replies
Sadly this is one of the things in our TODO list.
We currently support automatic Let's Encrypt certs, but not with wildcards, since that uses different authentication method.
As a workaround, we do support CloudFlare proxy in front of Zerops, so you could direct
*.some.tld to your IPv4 in Zerops and CloudFlare should handle the wildcard certificate (you will have to set CF SSL/TLS to Full but not Full (Strict)).OK, going to solve it this way. Thank you for helping me!
So I need my own IPv4, right?
Yes, I am not sure if it can be done with shared IPv4 and IPv6, since you would not have a fixed hostname for Zerops to recognize.
To be fair, even my suggestion might not 100% work 🤔
@Jan Saidl can a person have a single app handle all HTTP traffic from all domains (basically CF sends any request to it's IP address with Host header that isn't registered in Zerops)? I think it could be possible through custom Nginx service, but now am not 100% sure about our L3.
Now I'm scared 😁
It won't be a huge amount of traffic but it can be really any subdomain,
Thing is, we have balancer (more an entry point for traffic from internet) for your project which might block the requests if the host header isn't one of the domains you listed.
It's a valid feature, to prevent DoS of your services, but it could also block my suggestion.
We want to support wildcard domains with certs, but I am not sure if we did make CF proxy version work, or didn't have time to do so yet.
Understand. It makes sense, but I need to solve it asap. Sorry. Otherwise I have to bring back my own VPS. 🙈
Might I ask for the reason why it might be "any" domain? Are you using, e.g. a domain per client?
It would help us know our clients needs.
Of course. It's very easy. Do you know bluesky? I need to verify community handles.
Every handle means subdomain. And without SSL, every request gets 404 🤷🏼♂️
I wanted to move to Zerops. So I chose such an easy project to try it 🤣 Who could know it's a bad one 😁
Bad luck 🤷🏼♂️
Yeah that is a very unfortunate way how BlueSky handles the handles :whelp:
I guess we should try to check if there is some easier way to add
DNS-01 challenge to support wildcard certificates. @BackendOkay, I have a solution. I'll stay here, cause it's ready to deploy and going to start o docker on some machine that will do the "checking" part on a wildcard. That's actually very easy.
Thank you Michale 🤗 Dobrou
Hi, unfortunately our L7 HTTP balancer does not currently support wildcard domains and their routing to the backend. I think we need some new features:
1. custom certificarte
2. wildcard domain routing
3. support DNS-01 challenge
Could be a solution if Zerops provides us one way of dynamically create/manage a whitelist of allowed subdomains (through a REST API accessible only within the project network maybe?)
I'm thinking of creating this feature in my project too where users could create their own subdomains like username1.mydomain.com inside their user panel.
I don't know if that's the best solution but it's an idea.
you could already write a wrapper around the standard Zerops REST API which updates domains (so your API would be in charge of the whitelisting), but the problem is that you also need to update DNS records, it's a clunky solution
we've discussed our plans for 2025 today, we should start workign on http improvements which includes support for wildcard certs in february / march
Did you guys already start on it or have some kind of estimate if/when it will be available? I have a similar use case (blogging platform where each user gets a subdomain) and also need it 😅
I can of course programmatically add them to Zerops and Cloudflare as you described above, but as you said it's a bit clunky
it's one of the priorities, hopefully within two months
or rather within two months we want to push out bunch of big things this being one of them
Ok, I guess I will use the clunky solution in the meantime
I'll see if we can't move it in priority list, I've been wanting to add wildcard support for ages
looks like we found a decent solution, we'll get it done @Amos
Amazing
ok, we got it implemented, just need to properly test it so it doesn't break anything on production
You guys are doing an amazing job 😍
it's on code review now, hopefully we'll release it soon
@Amos @bravisek @Alexandre Paiva released
docs page in progress, some raw info - https://gist.github.com/jansaidl/d94fd84fc45f1ff6e3528e86e3ba03b4
Amazing, will test it later tonight 🤩
I can't seem to get it to work. If I add the wildcard domain to Zerops it then updates my main domain to say it's not pointing to the IP address, when it is (and it's still working fine). I've tried both options of adding
A (shared ip) and AAAA records for my subdomain, or adding the CNAME instead, and it both didn't work
Going to a subdomain that I had added before with the API it says "Invalid SSL certificate", for others that I didn't add it says "SSL handshake failed"
Here is the relevant stuff exported from Cloudflare:
Hi @Amos , you need to create a
CNAME record to authenticate with LetsEncrypt. Thanks to it we can then issue a wildcard certificate.
_acme-challenge.contentbase.blog CNAME contentbase.blog.zerops.zoneSorry forgot to paste that above, but I added that already
Maybe it being proxied is messing stuff up? Not sure
Try to disable proxy please
Still the same problem. I also tried removing the wildcard domain, then removing and re-adding my main domain and after it still says it's not pointing to the ip address
contentbase.blog is pointing wrong IPv6It's pointing to the one in the settings and it still works fine
try to remove
A records please🎉
I think the problem is that the proxy on the A record in combination with a shared IPv4 address does not work.
It works 😄 thanks for the help (especially considering it's a Sunday evening 😂) and implementing this in the first place
This is the right reward for implementing a new feature 🫡 Thanks
This. It's mentioned in our docs as well, if you want to use proxy for AAAA then you can't use A record with shared IPv4 at all.
https://docs.zerops.io/features/dns#ipv6-only (see the Note here)
@Michal Saloň is right. This was another possible solution. But I think it's better the way it is now.
Ah I think I read it before, which is why I initially didn't have it set up this way, but then the gist made it seem like it was required for the wildcard, so I ended up adding it. Anyways, good to know!