Everyone is probably in the know about such an organization as Let's Encrypt. For some time there you can get a wildcard certificate. In this short note I will describe a couple of not very obvious moments that I encountered.
1. Wildcard certificate can only be obtained via DNS plugins:
Do you need to get wild cards certificates from Let's Encrypt.
Those. our options are either one of the DNS plugins, or manual + preferred-challenges = dns-01.
Read more
here .
The use of DNS plugins is described in detail in the documentation for the link above.
When using manual mode, you will need to manually add a TXT record to DNS. This record will be different each time, i.e. automatic renewal of the certificate in this case is possible only through certbot hooks. In the same place, by the way, you can hang up a command, for example, to restart nginx.
2. You need to use the server with API v.2:
https:
Probably in future versions of certbot there will be a transition to the use of API v.2 by default, but for now so.
I use docker to run certbot. Very convenient. Thus, the command to obtain a certificate is obtained like this:
docker run -it --rm \ -v /docker/volumes/etc/letsencrypt:/etc/letsencrypt \ -v /docker/volumes/var/lib/letsencrypt:/var/lib/letsencrypt \ -v /docker/volumes/var/log/letsencrypt:/var/log/letsencrypt \ certbot/certbot \ certonly --manual \ --preferred-challenges dns-01 \ --server https://acme-v02.api.letsencrypt.org/directory \ --register-unsafely-without-email --agree-tos \ --manual-public-ip-logging-ok \ -d example.com -d *.example.com
The results of certbot will be available in / docker / volumes /, from where they can be connected to other containers.
Pay attention to the key “manual-public-ip-logging-ok” - if you do not specify it, then this question appears at startup:
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running
your server, please ensure you're okay with that.
Are you ok with your IP being logged?
As I understand it, as long as addresses are not available anywhere (but logged), their publication is in the near future. In my personal opinion, a bit strange policy.