Wildcard Let's Encrypt SSL Certificate?


#1

Anyone tried or succeeded creating a wildcard Let’s Encrypt SSL certificate for their domain? Any feedback from those who have tried or succeeded very welcome, thank you.

(I know DH don’t support wildcard Let’s Encrypt certs, but it is mandatory for our scenario, no workarounds possible.)


#3

DreamHost is in complete denial about the importance of supporting LE wildcards. Their suggested workarounds make my eyes roll. I have to completely bypass DreamHost. I’m using CloudFlare, Google Domains, and ngrok to expose my firewalled dev systems as a TLS public domain name.


#4

Thanks for the feedback. Sorry to hear you are in that position. It is limiting what we do too, to the point we may have to consider moving to a new host company. Which seems nonsensical - I have no idea why DH won’t support this even for private servers. It is something that even GoDaddy support, a bargain-basement host company IMHO.

My “guess” is, for whatever reason, it would be quite a lot of work for DH to do. And so they have decided for now they aren’t going to bother till demand grows to such a degree that it becomes untenable to not provide it any longer. It would be nice if DH were transparent about this, but thus far they have not explained why on this forum, nor in my support requests. That’s disappointing - we moved to DH many years ago mainly because we understood we could do anything with a private server. This is the first real obstacle we’ve been unable to work around.


#5

Agreed that this is needed. DreamHost, here’s an easy way for you to test your implementation of it and provide a valuable service for your clients: use Let’s Encrypt to get a wildcard cert for “*.dreamhosters.com” (the domain you use for people to temporarily host sites on until they get access to the domain they want and can point its DNS to DH). Site developers can use subdomains of that domain to host any non-SSL site temporarily, but right now there’s no way to do SSL on it, because there is no wildcard certificate and/or the https:// versions of the subdomains don’t properly redirect.

So, implement it on “*.dreamhosters.com” first, and let some trusted users test it by hosting SSL-based sites on subdomains of it. When that works, then allow wildcard LE certificates system-wide for all domains.


#6

I’d think we have already crossed that line with regular demand here and people obviously leaving for lack of the feature. I use WordPress and have been hesitant to create a multisite setup with subdomains specifically because I’m not sure about the whole LE wildcard thing. To be clear, I want to spin up a larger server and pay DH more money but I’m under the impression that they don’t want us to do that.

I’m using registrar GoDaddy, with nameservers NS1/2/3.dreamhost, pointing to DreamCompute instances.
I’m wondering …:

  1. if we can use an alternate DNS to point to our DreamCompute static IPs, and thus update this other DNS for a wildcard cert.
    or
  2. if we can cascade name servers, where in my case GoDaddy goes to my.ns.foo which has the cert TXT record, but then forwards to the DH nameservers for resolution of the final IP address?
  3. if DreamCompute is bound by the same issues as shared space in this regard?

#7

I just hope DH are looking into doing this in the background, even if they can’t say anything at the moment. Their silence on the topic is not encouraging though.

And I hope you get the answers you need to your questions. Good luck with it all, Starbuck.


#8

Now that I think about it, DreamCompute is completely unrelated to the DreamHost nameservers. I create servers and then create the DNS records afterward, or not at all. I’m confident that we can create records for our DreamCompute instances on any nameserver, and thus get our LE wildcard certs.

I’m going to try this soon. As I said, I have my GoDaddy registrar pointing to the NS1/2/3 servers at DH, which then provides records for resolution to my DC instance IPs. I’m going to use the GoDaddy nameservers, create the CNAME, MX, TXTs, and other records there, and then apply a LE wildcard cert.

I didn’t think about this earlier because I just point from GoDaddy to DH DNS out of habit.

I don’t know if this will work for DH VPS, certainly not for shared hosting, where we must have the DH DNS resolving their internal IPs.

More later…


#9

Best of luck, Starbuck. Please do leave your findings here, thank you.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.