-
-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to Config for On-Demand Wildcard Certificates #319
Comments
I guess I don't understand a few things.
What is your use case for on-demand wildcard certificates? That seems unusual to me.
That function starts managing a wildcard domain asynchronously with on-demand enabled, which means that it won't "trigger" anything until a TLS server associated with that config receives a handshake for a domain name in its SNI, but the SNI will never be a wildcard.🤷♂ |
Thanks for replying. Regarding:
We provide managed hosting for a software that needs wildcard domains to be pointed to our proxy (that handles TLS handshake/termination), and anyone who's subscribing to our services can add a wildcard DNS record on their domain (which points to the proxy) and start using our services.
Does it mean that we cannot manage a wildcard certificate with on-demand enabled? And the SNI won't be a wildcard it will be a subdomain, how to make SNI a wildcard instead (knowing that the SNI/subdomain should be a wildcard instead). |
There is a way, but you need to use an experimental API, Let me know if that works for you 👍 |
Thanks, let me try it. |
What is your question?
I have a proxy server which is using certmagic to issue
on-demand
TLS certificates, theon-demand
function checks cache/database to decide if the domain is allowed or not so the TLS certificate is issued or denied, which works perfectly fine.Now, I have to add support for issuing
on-demand wildcard certificates
and I'm using the sameon-demand
function to decide if the domain name is allowed to have a wildcard certificate and get the dns provider config from the cache/database for it so I could use the appropriate implementation oflibdns
(e.g.godaddy
) to issue the wildcard using the dns challenge.What have you already tried?
I've tried calling the following function from my
on-demand
function if a domain is allowed to have a wildcard, but it doesn't trigger anything (creation of certificate or errors):In the
on-demand
function I return an errorerrors.New("managing wildcard certificate async")
so it doesn't continue issuing TLS certificate forabc.xyz.com
and instead create a wildcard certficate in the above function*.xyz.com
.Bonus: What do you use this package for, and does it help you?
I'm using it in a custom reverse proxy written in Go and it has really helped me for the past years, as this reverse proxy also needs to provision the TLS certificates.
The text was updated successfully, but these errors were encountered: