Get ssl wildcard & conflict json file

Hassan_Ghaseminia · August 12, 2024, 7:18am

Good time,

I’m facing two issues:

I attempted to obtain a wildcard SSL certificate, but somehow ended up with individual SSL certificates for each subdomain instead of a wildcard. I followed the documentation, but it didn’t result in a wildcard certificate as expected. Now, each subdomain has its own separate SSL certificate.
I’m using Caddy to automatically obtain free SSL certificates for around 4,000 domains. Occasionally, the JSON file that manages the certificates becomes corrupted, leading to issues like the one mentioned above.

{
	"sans": [
		"domain.com"
	],
	"issuer_data": {
		"url": "https://acme-v02.api.letsencrypt.org/acme/cert/03658e93f2c890915a054765671087f2cef9",
		"ca": "https://acme-v02.api.letsencrypt.org/directory",
		"renewal_info": {
			"suggestedWindow": {
				"start": "2024-09-10T17:51:39.333333334Z",
				"end": "2024-09-12T17:51:39.333333334Z"
			},
			"_uniqueIdentifier": "kydGmAOpUWiOmNbEQkjbI79YlNI.A2WOk_LIkJFaBUdlZxCH8s75",
			"_retryAfter": "2024-08-12T13:10:59.922832197Z",
			"_selectedTime": "2024-09-12T02:56:59Z"
		}
	}
}}

I sincerely appreciate your help in advance.

Mohammed90 · August 12, 2024, 7:43am

We can’t help with such failure cases without knowing your config (Caddyfile or JSON). Please fill out the help template to ensure we have all the details we need.

Aryan_Kasraee · August 12, 2024, 7:44am

i got the same problems

Hassan_Ghaseminia · August 12, 2024, 12:43pm

my caddyfile for example:

{
	email admin@domain.com
	on_demand_tls {
		ask http://cdn-record-manager:3000/ssl/checker
	}
}
*.domain.com, domain.com{
	tls {
		on_demand
		alpn http/1.1 h2 h3
	}

	handle {
		reverse_proxy http://192.168.1.135:8080 {
			header_up Host {host}
		}
	}
}

Bruce5051 · August 12, 2024, 1:21pm

Hi @Hassan_Ghaseminia,

A wildcard certificate requires the DNS-01 challenge of the Challenge Types - Let's Encrypt

Hassan_Ghaseminia · August 12, 2024, 1:26pm

Thank you for your participation.

I will give you this item. I have now prepared it with certbot, which gives two tokens for this item, which needs to be recorded as a TXT record. I did this. But where does caddy put these two tokens? Or where does it give me to let it confirm to get ssl wildcard?

Bruce5051 · August 12, 2024, 1:31pm

Different Domain Name Service Providers have different APIs to add, edit, and delete DNS Records.
So using DNS-01 in a practical (automated) way is coupled to which Domain Name Service Provider you are using. Most of the time a plugin is helpful.

Mohammed90 · August 12, 2024, 5:38pm

First of all, add a space between com and the opening brace, otherwise Caddy cannot know where the site name ends and the block begins

Secondly, you’re adding on_demand, which tells Caddy to keep issuing single SAN certificates and rely on the ask URL to accept or reject the domain name.

Lastly, for wildcard certificates, you need to first remove on_demand and use the DNS challenge which require a custom built Caddy (built with xcaddy command or our download page). You can follow the instructions here:

Whitestrake · August 13, 2024, 5:35am

Just to clarify regarding this point:

Caddy’s certificate maintenance is not interactive, it is fully automated.

You cannot configure Caddy to supply a TXT record for you to manually update your DNS provider with.

You must configure Caddy with API access to your DNS provider to do this automatically instead, following the link Mohammed posted should give you the information you need to do this.

francislavoie · August 14, 2024, 12:31am

The extra } at the end of the JSON file is probably due to a bug with certmagic regarding atomic file writes. This should be fixed by fix: use a tempfile to write files in filestorage. by elee1766 · Pull Request #300 · caddyserver/certmagic · GitHub in the next release.

But as others have said, you probably don’t need On-Demand TLS if all you’re trying to do is serve subdomains of a domain under your control. In that case, you should use a single wildcard certificate to cover all of them.

Using On-Demand TLS makes the most sense when you have customers pointing their own domains to your server (with a CNAME record pointing to your domain).

If you’re not allowing customers to do that and you’re just doing per-user/customer subdomains under your own domain, then wildcard certificates is what you want.

system · September 13, 2024, 12:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.