Let's Encrypt started issuing wildcard certificates

Let's Encrypt crossed an important milestone - since March 14, everyone can get a free SSL / TLS certificate of the form * .example.com . An example of an installed certificate:

https://subdomain.baur.im https://any-text.baur.im

Yesterday, Let's Encrypt officially announced the launch of ACMEv2 (Automated Certificate Management Environment), which finally allows you to get a wildcard certificate. It was originally planned to begin issuing them in January , but the launch was postponed due to problems discovered .

Obtaining a wildcard certificate is now possible only through the DNS challenge, where you need to temporarily create a TXT record of the form _acme-challenge.example.com with a specific value.

The official Certbot client and some other clients for automatic certificate renewal already support staging ACMEv2, the production version is coming. And to automatically pass the DNS challenge there are already several special Certbot plugins . Of course, soon there will be more more, including for third-party customers.

As a simple example, I manually received a certificate for the domain I own - baur.im, through the browser client https://www.sslforfree.com . If I want to use the same certificate for both sub-domains and the domain itself, then this must be specified explicitly: baur.im * .baur.im (pictures are clickable):


Going further, it is proposed to pass two DNS challenge.


Add both requested TXT records to the _acme-challenge.baur.im sub-domain

And you can download a certificate that will last 3 months.


Now these TXT records can be deleted. In this example, for any sub-domain, nginx returns a static html: https://habrahabr.baur.im/ .

Only registered users can participate in the survey. Please come in.

Will you use a wildcard from Let's Encrypt?

  • 68.8% Definitely yes 898
  • 28.0% Maybe not sure 366
  • 1.1% No, it's better to buy as before fourteen
  • 2.1% we don't need a wildcard 28