Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support wildcard certificates with ACMEv2 #319

Closed
raqbit opened this issue Jan 21, 2018 · 56 comments · Fixed by #1137
Closed

Support wildcard certificates with ACMEv2 #319

raqbit opened this issue Jan 21, 2018 · 56 comments · Fixed by #1137
Labels
kind/feature-request Issue requesting a new feature kind/letsencrypt Issue, question or PR regarding Let's Encrypt

Comments

@raqbit
Copy link

raqbit commented Jan 21, 2018

On January 27 letsencrypt will make star certificates fully available via the ACME v2 protocol.
Are you planning on adding support for this?

@buchdag
Copy link
Member

buchdag commented Jan 22, 2018

Wilcard certs will require dns-01 challenge and simp_le only support http-01, so they won't be available through letsencrypt-nginx-proxy-companion.

zenhack/simp_le#101

@buchdag buchdag added the status/wont-fix This issue won't be fixed label Jan 22, 2018
@raqbit
Copy link
Author

raqbit commented Jan 22, 2018

Well that's a bummer. As Python-acme is part of certbot I'd guess they will implement v2 soon-ish, and then simple_le will able to support it as well in the future. Anyways, thanks!

@buchdag
Copy link
Member

buchdag commented Jan 22, 2018

Unfortunately it's not as simple as that, let me clarify : support for ACME V2 will be implemented in simp_le, but dns-01 challenge won't.

dns-01 challenge is not new or specific to ACME v2 and the original simp_le developer (@kuba) made the explicit choice to limit simp_le to http-01 challenge from the beginning (you can see it in the manifesto, point 3).

@raqbit
Copy link
Author

raqbit commented Jan 22, 2018

Oh, I see. Thanks for helping :)

@raqbit raqbit closed this as completed Jan 22, 2018
@buchdag buchdag changed the title Support star certs with ACMEv2 Support wildcard certificates with ACMEv2 Jan 22, 2018
@buchdag
Copy link
Member

buchdag commented Jan 22, 2018

@raqbit I'm re-opening so the issue and the reason why we won't (/ can't) support wildcard certs have better visibility.

@almereyda
Copy link
Contributor

Please see zenhack/simp_le#101 (comment) for updates on the upstream issue, since the v2 endpoint has finally been released to production.

@buchdag
Copy link
Member

buchdag commented Mar 13, 2018

@almereyda as told in my first message on this issue and on the simp_le issue you mentioned, wilcard certificates requires dns-01 challenge support, which is absent from simp_le (and there are no plans to add it).

This is not the same thing as (or related to) Acme v2 support.

@Dragnucs
Copy link

I am curious. Can't simp_le be replaced with another components that could handle dns-01 challenge? If not, what are our options? Can't we hack the configuration a bit on our end to support it?

@buchdag
Copy link
Member

buchdag commented Mar 15, 2018

It could, letsencrypt-nginx-proxy-companion is pretty much "just" bash automation around simp_le and nginx-proxy, there is nothing preventing someone from re-writting it to use another ACME client and provide additional features. As usual with small open source projects the only real issues are the amount of work necessary and the time it takes.

I've been thinking for a while about doing a fork of this project using certbot instead of simp_le but it's pretty far from a drop-in replacement as the two behave in very different ways. I lack the time to do more than experiment a bit with the idea once in a while.

As for other options, the most serious is probably switching to a bigger project like https://github.com/containous/traefik

To be honest I have my doubts about the long term viability of the nginx-proxy / docker-gen solution as it's now extremely hard to get contributions merged to those projects (mostly due to the fact that their creator is very busy working at influxdb, I guess. That's understandable).

@Dragnucs
Copy link

@buchdag thank you for your reply.

@almereyda
Copy link
Contributor

almereyda commented Mar 15, 2018 via email

@buchdag
Copy link
Member

buchdag commented Mar 15, 2018

Errr no it does not.

We (zenhack and I) said on that issue that ACME v2 support is planned (we said nothing about when, and it might turn out to be harder than expected) and that dns-01 is out of scope.

Again dns-01 challenge is required to obtain a wildcard certificate through the Let's Encrypt ACME v2 endpoint, but they are not one and the same thing: implementing ACME v2 does not imply implementing dns-01 challenge at all.

@evertramos
Copy link
Contributor

@buchdag Thanks for your contribution!!! Traefik works really fine with it!!! I am doing some tests around it and it seems pretty stable as well. Since I have a couple servers running this repo It will take a couple months to release something usefull, but thank in advance!

@BirkhoffLee
Copy link

BirkhoffLee commented Apr 25, 2018

Maybe give users a hint in https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/letsencrypt_service#L106 when they receive this useless error? Like adding the link to this issue in the output. We expect this to work, but it actually fails

nginx-letsencrypt    | /etc/nginx/certs/*.birkhoff.me /app
nginx-letsencrypt    | Creating/renewal *.birkhoff.me certificates... (*.birkhoff.me)
nginx-letsencrypt    | /usr/lib/python2.7/site-packages/acme/jose/jwa.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecat
ed. Please use sign and verify instead.
nginx-letsencrypt    |   signer = key.signer(self.padding, self.hash)
nginx-letsencrypt    | ACME server returned an error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: W
ildcard names not supported

It actually took me a while to figure out what happened. Thanks for the nice work tho

@buchdag
Copy link
Member

buchdag commented Apr 25, 2018

@BirkhoffLee "expect this to work" "useless error" ... nice tone there.

BTW the "useless error" actually comes from simp_le, not from this container's code.

@BirkhoffLee
Copy link

BirkhoffLee commented Apr 25, 2018 via email

@buchdag
Copy link
Member

buchdag commented Apr 25, 2018

My bad, I did not realize you were a non native english speaker. 😅

You're right with the fact that some warnings about unsupported features (as of now) like ACME V2 endpoints and wildcard certificates should be added. I'll try to add this to dev this week.

@BirkhoffLee
Copy link

BirkhoffLee commented Apr 25, 2018 via email

@kopax
Copy link

kopax commented Dec 5, 2019

Hi, I am discovering this project. I see why the issue has been reopened but I also see there is a v1.12 solution for it. Is this finally solved? Thanks for sharing!

@buchdag
Copy link
Member

buchdag commented Dec 10, 2019

Quoting myself:

This is just part of the upcoming switch to ACME v2 protocol prior to the November 1st deadline I alluded to in my previous message, it does not bring support for wildcard certificates.

@benben
Copy link

benben commented Jan 22, 2020

great work. thank you! Is there a way to support your work with a donation?

@almereyda
Copy link
Contributor

Now following suite with the release of v2 through #510 and #719, it appears even more possible to use dns-01 ACME v2 challenges with the companion.

In #510 (comment) @pini-gh communicated the existence of a fork --- that happens to find itself at https://github.com/pini-gh/docker-letsencrypt-nginx-proxy-companion in opposition to the link provided there --- that implements the requested change here. See the comparison in v2.0.1...pini-gh:dns-01-challenge

Would this deem a suitable moment to issue a Pull Request from this PoC and test and extend it against the maintainer's expectations?

@buchdag
Copy link
Member

buchdag commented Dec 26, 2020

@almereyda as usual I'd really like to give users a roadmap and stick to it, but you saw how well it went the last time I tried that.

Things I can say for now:

  • yes, now that Switch to acme.sh #510 / Replace simp_le with acme.sh #719 are done, dns-01 challenges support will be worked on
  • there is some CI/CD and code refactoring work that I want to do before that
  • also, improvements on logging and debugging
  • I'll certainly start with @pini-gh fork and work with him on this if he wants to and has time to spare
  • it will probably be way harder to create a working integration test for this feature than the feature itself

@MohammedNoureldin
Copy link

Hello, any news regarding DNS challenge support?

@xicond
Copy link

xicond commented Oct 30, 2021

Is there a way to customize executed acme.sh when I want to do wildcard with dns-01 challenge, I'll use if-else per domain to append TOKEN and change to dns-01 challenge

@Miladiir
Copy link

Hi, what about #916, any plans to merge it?

@Hexalyse
Copy link

Hexalyse commented Jun 30, 2022

Bumping this issue since not a single comment has been posted in response to the PR #916 which seems to implement wildcard certificates (albeit only supporting Cloudflare if I understood correctly).

Is it planned to be merged ? Or is this feature simply not planned to be implemented in acme-companion for now ?

@daweedm
Copy link
Contributor

daweedm commented Apr 6, 2023

@Miladiir @Hexalyse the PR #916 is unfortunately too much specific to cloudfare (because it's checking for the existence of CF_Token environment variable).

I have created a PR (#1022) for adding generic support for DNS challenges which is fully working for "non-wildcard" domains with minor changes to the code base and being not specific to any provider.

Based on what I have read in the #916 , the PR #1022 may not require a lot of additional work in order to support wildcards domains, because wildcard certs are issued based on DNS challenge : I think it only require to update the functions.sh as it's done in #916, but to be confirmed by @buchdag

@PedroVallejo5
Copy link

Are there any updates on this? This feature is gonna help us a lot

@aaccioly
Copy link

aaccioly commented Sep 24, 2023

If anyone is looking for a working alternative, here's an example of how to combine nginx-proxy with adferrand/dnsrobocert: Script to deploy certificates generated with DNSroboCert to nginx-proxy. It's working very well, feel free to use it in any way that you see fit.

@Cilenco
Copy link

Cilenco commented Nov 18, 2023

For anyone searching for wildcard certificate support in nginx-proxy:

I've created a docker image which is based on go-acme/lego and works perfectly well with nginx-proxy.
It supports all of their DNS providers and auto updates the certificates using cron before they get invalid.

@necaran
Copy link

necaran commented May 24, 2024

Here is another workaround, using acmesh-official/acme.sh to work with nginx-proxy.
It is extremely lightweight since the container of acme.sh takes only about 1 MiB of RAM (as shown by docker stats).

@cistes44
Copy link

cistes44 commented Jul 9, 2024

I've created a docker image which is based on go-acme/lego and works perfectly well with nginx-proxy.

I confirm, thanks a lot for this image! The documentation being extra slim, I share my docker-compose.yml file here, with ovh api and wildcard certificate generation. if you have another registar/dns provider, you can check the proper environment variables here : https://go-acme.github.io/lego/dns/

version: "2.4"

services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:alpine
    container_name: nginx-proxy
    restart: always
    ports:
      - "80:80/tcp"
      - "443:443/tcp"
    volumes:
      - certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      proxy-network:

  lego-acme:
    image: cilenco/lego-cron-wrapper
    container_name: lego-acme
    command: >
      --accept-tos --email=mail@example.com --dns ovh
      --domains=*.example.com
    environment:
      - RUN_ARGUMENTS=--run-hook=/app/deploy
      - RENEW_ARGUMENTS=--renew-hook=/app/deploy
      - OVH_APPLICATION_KEY=<appkey>
      - OVH_APPLICATION_SECRET=<appsec>
      - OVH_CONSUMER_KEY=<conskey>
      - OVH_ENDPOINT=ovh-eu
    volumes:
      - certs:/app/certificates
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./deploy.sh:/app/deploy
    networks:
      - proxy-network-internal

  website:
    image: httpd:alpine
    container_name: website
    restart: always
    volumes:
      - ./website:/usr/local/apache2/htdocs/:ro
      - ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro
    environment:
      - VIRTUAL_HOST=example.example.com
    networks:
      - proxy-network

volumes:
  certs:

networks:
  proxy-network-internal:
    external: true
  proxy-network:
    external: true

Please note that the LETSENCRYPT_HOST disappear.

@buchdag buchdag linked a pull request Jul 16, 2024 that will close this issue
@buchdag
Copy link
Member

buchdag commented Jul 16, 2024

This took way, way longer than I intended, but support for DNS-01 challenge and wildcard certificates is coming, see #1137

@buchdag buchdag unpinned this issue Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature-request Issue requesting a new feature kind/letsencrypt Issue, question or PR regarding Let's Encrypt
Projects
None yet
Development

Successfully merging a pull request may close this issue.