1. Letsencrypt/WildCardCertificate

/*.qmail.jp

/_acme-challenge

ACME v2 Production Environment & Wildcards API Announcements

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 /DNS_wildcardを使う。

警告： DNSにおけるwildcardをきちんと理解しておく必要がある。-- ToshinoriMaeno 2019-01-25 23:55:47

一方で、certificateの世界でのwildcardの意味も確認すること。 https://en.wikipedia.org/wiki/Wildcard_certificate

• the wildcard only covers one level of subdomains (the asterisk doesn't match full stops)

https://searchsecurity.techtarget.com/definition/wildcard-certificate

https://tools.ietf.org/html/rfc2818#page-5

The wildcard may appear anywhere inside a label (aka "partial-wildcard")

• f*.domain.com is OK. It will match frog.domain.com

Do not allow wildcards in an international label.

チャレンジのタイプ https://letsencrypt.org/ja/docs/challenge-types/

1.1. Wildcard support

https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

ACME v2 and Wildcard Certificate Support is Live

Wildcard certificates are only available via ACMEv2.

Additionally, wildcard domains must be validated using the DNS-01 challenge type.

https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250 https://community.letsencrypt.org/t/upgrading-to-use-wildcard-domains-existing-subdomains/57589

1.2. production environment

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

https://acme-v02.api.letsencrypt.org/directory

To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request.

DNS names in certificates may only have a single wildcard character, and it must be the entire leftmost DNS label, for instance “*.example.com”.

A single certificate can have wildcard DNS names for multiple base domains, and can also mix in non-wildcard names.

Orders that contain both a base domain and its wildcard equivalent (e.g. *.example.com and example.com) are valid. In that case, there will be two authorization objects in the order for “example.com 268”, one of which represents the wildcard validation and one of which represents the base domain validation.

(別々に取得することになるのか。)

Redundant entries will produce an error. For instance, and order containing both *.example.com and www.example.com would produce an error since the wildcard entry makes the latter redundant.

Let's Encrypt Wildcard Certificates Are Here

• Ole Michaelis — 09 January 2019

https://blog.dnsimple.com/2019/01/lets-encrypt-wildcard-support-is-here/

https://itnext.io/using-wildcard-certificates-with-cert-manager-in-kubernetes-and-replicating-across-all-namespaces-5ed1ea30bb93

DNSimple: https://blog.dnsimple.com/2019/01/lets-encrypt-wildcard-support-is-here/

1.3. 例

-d \*.example.com -d example.com

要求されるTXTレコードは　"_acme-challenge.example.com TXT　xxxxx" になるようだ。

1.4. 待ち時間

「ドメインを管理しているサービスの管理パネルサイトで、DNSレコードを追加しました。」

1.5. DNS解釈とのずれ

証明書のwildcard解釈とDNSでのwildcard解釈とが一致しないケースがありそうで、気になる。 -- ToshinoriMaeno 2019-01-26 00:10:08