MoinQ: Letsencrypt/WildCardCertificate/DNS_wildcard

証明書世界のワイルドカードはDNS世界のワイルドカードとは異なる。

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

1. Wildcard certificates

サーバー証明書であったものを、ドメイン証明書であるかのごとく使おうとするのが間違いだ。

• あくまでもサーバー証明書として使うことが重要だろう。-- ToshinoriMaeno 2022-02-17 23:33:20

ワイルドカード証明書をDNSワイルドカードと同様に扱うにはどうすればいいか、考えてみよう。

The V2 API supports issuing wildcard certificates. 

To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request.

• "wildcard DNS identifier" がなにを指すか、理解しているのか。

Under Let’s Encrypt’s policy, wildcard identifiers must be validated by a DNS-01 challenge, 
so order authorizations corresponding to wildcard identifiers will only offer a DNS-01 challenge.

DNS names in certificates may only have a single wildcard character, 
and it must be the entire leftmost DNS label, for instance “*.example.com”. 

A single certificate can have wildcard DNS names for multiple base domains, 
and can also mix in non-wildcard names.

• DNS-01 challengeを使う。左端に*ラベルを持つ名前だけを許す。
  • (これはDNSとしてはラベルをひとつに制限していることにはならない。意図は不明だ。)

Orders that contain both a base domain and its wildcard equivalent 
(e.g. *.example.com and example.com) are valid.

In that case, there will be two authorization objects in the order for “example.com 459”,
one of which represents the wildcard validation and one of which represents the base domain validation. 

Redundant entries will produce an error. 
For instance, and order containing both *.example.com and www.example.com would
produce an error since the wildcard entry makes the latter redundant.

• この辺りの解釈はDNSとは異なる。(DNSでのワイルドカードが特殊だと言えるが。子ゾーンの存在もある。)

ドメイン名に対して証明書を発行するという考えがDNSと対立する(矛盾)根源だろう。-- ToshinoriMaeno 2022-02-17 23:19:07

Client Compatibility

This is a non-backward-compatible version of the API,
so ACME v1 clients will not work with the ACME v2 endpoint without explicit support.
Existing clients will need code changes and new releases in order to support ACME v2.

We are maintaining a list of clients that have added ACME v2 support 
on our client options documentation page 24.1k.

Certbot has ACME v2 support since Version 0.22.0. 
This version may not yet be available depending on how you install Certbot and your system’s software update mechanism.

Please submit a Website pull-request 535 to update the “ACME v2 Compatible Clients” section of the Client Options documentation if you add support to your ACME client!

CategoryDns CategoryWatch CategoryTemplate