Wildcard certificates multiple


(Stonedestroyer) #1

Hello, I have Caddy v0.10.12 and are wondering regarding the new wildcard certificates. I do wish to use them and have enabled tls dns registration on all my domains. But one issue is it will only do wildcard on my main domain and not any linked subdomain do I have to do * cause if I do that it will make my other subdomains not work? I guess I could specify my wildcard certificate but that seems backwards as it will stop auto redirect.

maindomain.com, www.maindomain.com {
	tls {
		dns namecheap
	}
}

test.maindomain.com {
	tls {
		dns namecheap
	}
}

test2.maindomain.com {
	tls {
		dns namecheap
	}
}

I even tried domain wildcard under the first TLS but did not work. It only gets normal certificates and not wildcard. And if I have to put * to do for all wildcard domain I do not wish to catch all domain so I am not sure how to do this correctly as I have different options for the subdomains and do not wish to put them together.


(Matthew Fay) #2

Here is some relevant documentation you’ll want to have a look over:

If you have many subdomains configured differently in your Caddyfile, you can also force a wildcard for them by using the wildcard subdirective of the tls directive.

https://caddyserver.com/docs/automatic-https#wildcards

  • wildcard will obtain and manage a wildcard certificate for this name by replacing the left-most label with *, as long as managed TLS with the DNS challenge is enabled. Any sites which are configured similarly and have the same resulting wildcard name will then share the same, single certificate. This will not work with On-Demand TLS because it uses the SNI value for the certificate name. Note: Do not use this feature unless you have many subdomains that would otherwise cause you to hit CA rate limits.

https://caddyserver.com/docs/tls


(Stonedestroyer) #3

I see it works now, just a question why is it not recommended to use this feature?


(Matthew Fay) #4

Well, lets analyse why you would want a wildcard in the first place.

What are the benefits of using a wildcard?

Generally, the most commonly cited feature of using a wildcard certificate is that the one certificate covers all your sites for a given domain name. In short, it’s a convenience measure for the administrator of the server that reduces the ongoing maintenance load of managing a potentially much larger number of certificates.

Caddy’s headlining feature is its automated certificate management. Caddy is happy to handle hundreds or thousands of certificates without your intervention at all. So, barring the possibility of running into rate limits with the CA, we consider the difference of convenience to be none or near-none.

What are the drawbacks of using a wildcard?

A wildcard certificate is a security liability because it grants vastly more privilege over a domain name than the web server is likely to ever use. The principle of least privilege dictates that a system should only have resources strictly required to carry out its intended task.

Limiting Caddy’s certificates to only those sites it actually serves is a very neat way of satisfying that principle. Should those certificates be compromised in a worst-case scenario, the damage could be plausibly held to a minimum.

Whether you’re likely to suffer any meaningful breach isn’t generally considered when designing a secure system, only how severe the damages could be. It might never happen to you, but it does happen.


So, given that we don’t see much benefit from a wildcard certificate, and we still see at least one glaring drawback, we generally advise against it unless the circumstances require it.