Let's Encrypt ACME v2 and Wildcard Certificates

With Lets Encrypt ACME v2 and wildcard support officially launched today I’m chomping at the bit to get this working on my multisite (subdomain) install :smile:

I figured a thread to get the discussion going and keep up with progress implementing this into Trellis would be helpful… Has anyone kicked around the code on this yet?

I’m assuming the DNS-01 challenge type requirement (modification of DNS TXT records in order to demonstrate control over a domain) would obviously adds an additional step to take outside the Trellis ecosystem, yeah??

Anyway, this is high on my to-do list and I’ll be sure to report back with my own progress too!

1 Like

You said Sage twice… I assume you mean Trellis?

But yes, since it requires a DNS challenge it would require much more work and really couldn’t be automated by Trellis (unless we had plugins to interface with various DNS APIs such as DO, AWS, etc but that’s complicated).

Considering the current solution works, and LE themselves even say you should continue to use the normal certs for most use cases, it’s low on our list of priorities.

2 Likes

Yeah it’s been a long day… definitely meant trellis :blush:

Alrighty well I’ll see how far I can get going it alone, I’m not as familiar with Ansible and Vagrant as I would like to be anyway, so I guess this is as good an opportunity as any!

Wildcards would be amazing for network installs so clients can make their new subdomains and not have to call me to provision a cert, but hey, billable hours right? :slight_smile:

Thanks for the reply!

2 Likes

Hey dnowland,

Did you figure out how to use a letsencrypt wildcard cert with a subdomain multisite and trellis? I’m starting to look into this or automating the creation on new certs when new sites and subdomains are created by an end user.

Thanks!

@nicely I wish!! I haven’t been granted budgetary approval for implementing this on the project in question. Please do keep me abreast of your developments in this space though; I am highly interested in getting something up and running eventually!

Until then, happy manually updating wordpress_sites :blush:

@swalkinshaw Just stumbled over „lexicon“ what could be quite interesting here: „Lexicon provides a way to manipulate DNS records on multiple DNS providers in a standardized way. Lexicon has a CLI but it can also be used as a python library.

Lexicon was designed to be used in automation, specifically letsencrypt.“

Any thoughts about it?

3 Likes

That’s really cool. I hadn’t seen it before.

Using DNS challenges with LE probably is better overall. It may simplify Trellis’ code and complexity a little but I think there is a trade off. Right now you don’t need to do anything to get SSL in Trellis (or almost nothing). With Lexicon, you’d need to install it, find your DNS API credentials and put them somewhere in Trellis.

Im not a developer, so forgive me for my “how hard could it be” comment.
But EasyEngine is solving this in some way. Then it sure feels like the roots team would be able to solve this in some way as well.

I also would like use wildcard certificates and began looking at what this would take. It seems the first step is to update the ansible role code to the lastest. The newer code uses dehydrated instead of acme tiny. Dehydrated has support for ACME v2 and wildcard certificates. Automatically updating DNS txt entries will still be tricky but I could imagine it could be made semi-automated and the user is just prompted to add a txt entry with the correct value.