= Letsencrypt/WildCardCertificate = <> <> [[/*.qmail.jp]] [[/_acme-challenge]] ACME v2 Production Environment & Wildcards API Announcements https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 [[/DNS_wildcard]]を使う。 警告: DNSにおけるwildcardをきちんと理解しておく必要がある。-- ToshinoriMaeno <> 一方で、certificateの世界でのwildcardの意味も確認すること。 https://en.wikipedia.org/wiki/Wildcard_certificate  the wildcard only covers one level of subdomains (the asterisk doesn't match full stops) https://searchsecurity.techtarget.com/definition/wildcard-certificate https://tools.ietf.org/html/rfc2818#page-5 The wildcard may appear anywhere inside a label (aka "partial-wildcard")  f*.domain.com is OK. It will match frog.domain.com Do not allow wildcards in an international label. チャレンジのタイプ https://letsencrypt.org/ja/docs/challenge-types/ == Wildcard support == https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579 {{{ ACME v2 and Wildcard Certificate Support is Live }}} Wildcard certificates are only available via ACMEv2. Additionally, wildcard domains must be validated using the DNS-01 challenge type. https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250 https://community.letsencrypt.org/t/upgrading-to-use-wildcard-domains-existing-subdomains/57589 == production environment == https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 https://acme-v02.api.letsencrypt.org/directory To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request. DNS names in certificates may only have a single wildcard character, and it must be the entire leftmost DNS label, for instance “*.example.com”. A single certificate can have wildcard DNS names for multiple base domains, and can also mix in non-wildcard names. Orders that contain both a base domain and its wildcard equivalent (e.g. *.example.com and example.com) are valid. In that case, there will be two authorization objects in the order for “example.com 268”, one of which represents the wildcard validation and one of which represents the base domain validation. (別々に取得することになるのか。) Redundant entries will produce an error. For instance, and order containing both *.example.com and www.example.com would produce an error since the wildcard entry makes the latter redundant. Let's Encrypt Wildcard Certificates Are Here Ole Michaelis — 09 January 2019 https://blog.dnsimple.com/2019/01/lets-encrypt-wildcard-support-is-here/ https://itnext.io/using-wildcard-certificates-with-cert-manager-in-kubernetes-and-replicating-across-all-namespaces-5ed1ea30bb93 DNSimple: https://blog.dnsimple.com/2019/01/lets-encrypt-wildcard-support-is-here/ == 例 == {{{ -d \*.example.com -d example.com }}} 要求されるTXTレコードは "_acme-challenge.example.com TXT xxxxx" になるようだ。 == 待ち時間 == 「ドメインを管理しているサービスの管理パネルサイトで、DNSレコードを追加しました。」 == DNS解釈とのずれ == 証明書のwildcard解釈とDNSでのwildcard解釈とが一致しないケースがありそうで、気になる。 -- ToshinoriMaeno <>