guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: certbot-service wildcard support

From: Nils Gillmann
Subject: Re: certbot-service wildcard support
Date: Sat, 4 Aug 2018 10:08:02 +0000 
Clément Lassieur transcribed 1.7K bytes:
> Nils Gillmann <address@hidden> writes:
> 
> > Clément Lassieur transcribed 847 bytes:
> >> Nils Gillmann <address@hidden> writes:
> >> 
> >> > Hi,
> >> >
> >> > recently letsencrypt added support for wildcard certificates.
> >> >
> >> > Since we concluded that it would be a good idea for Taler to
> >> > just use that instead of roughly 30 - 40 subdomain certificates:
> >> >
> >> > Does our certbot-service support the wildcard functionality?
> >> 
> >> It doesn't, because it doesn't support DNS challenges.
> >> 
> >> I tried to add support for DNS challenges, but I stopped because my DNS
> >> provider (Namecheap) doesn't have an API to update DNS records.  (Well,
> >> it does, but the API has access to everything and I can't afford the
> >> security risk.)
> >> 
> >> The problem with DNS challenges is that there is no universal way to
> >> update the records.  It depends very much on the provider (unless you
> >> host your DNS zone).
> >
> > How is that related? Or am I using certbot on Debian wrong? I simply added
> > an entry manually. I don't even want a service to mess around with DNS, at
> > least not unless it is required.
> > Which in my experience it is not. You can add the entry manually, which is
> > what we'd have done for taler.
> 
> Oh.  I though it had to be updated every three months, which is why I
> wanted to automate it.  But if it has to be updated only once, then it's
> not a problem.

The DNS entry is added once and that's it, at least from memory, and from my
experience that none of my certs cried for help so far.

> >> I packaged PYTHON-DNS-LEXICON though, it might help if you want to work
> >> in this.
> >
> > If you can tell me more about this, and why you think that software is
> > required for this, then it would be in my responsibility to work on this.
> 
> It's just a tool that automates DNS records updating, but you won't need
> it if the DNS record used by Certbot only needs to be updated once.

Okay. So basically it could work as-is, or is there some programming work
to be done for support entries like "*.taler.net"?

Thanks
reply via email to
[Prev in Thread] Current Thread [Next in Thread]