[pmg-devel] [PATCH pmg-api/pmg-docs/proxmox-widget-toolkit v2 0/1] allow wildcard DNS-names for ACME

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Apr 13 06:55:34 CEST 2021

On 12.04.21 21:28, Stoiko Ivanov wrote:
> v1->v2:
> * reaad up on the requirements and infered from [0], a few HOWTOs and the
> response from the LE staging directory that:
> ```
> Orders that contain both a base domain and its wildcard equivalent (...) are
> valid.
> ```
> means that only such orders are valid (hence the requirement for the base

I'm afraid, that's bogus.

> name in addition to the wildcard name
> * added a short stanza to pmg-docs describing the requirements
> * added a patch for pwt to allow '*.' as prefix for domains in ACMEDomains

actually read your linked article:
> To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request.

And from the actual RFC #8555
> Any identifier of type "dns" in a newOrder request MAY have a wildcard domain name as its value.

So, it's:

1. just wildcard '*.domain.tld', totally fine
2. if an order contains a wildcard and the base domain, it's seen as valid too,
   but definitively *not* a requirement..

2. stand in contrast to cases where a wildcard domain and a subdomain, which the
wildcard would already cover, are passed in an order - as that is bogus.

How do I know it works? Because I order wildcard certs with just the wildcard
domain since ACME/Let's Encrypt supports it ;-)

> [0] https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

More information about the pmg-devel mailing list