Let's Encrypt began issuing wildcard certificates

Let's Encrypt crossed an important milestone - since March 14, everyone can receive a free SSL / TLS certificate of the form * .example.com . An example of an installed certificate:

https://subdomain.baur.im
https://any-text.baur.im

Yesterday, Let's Encrypt officially announced the launch of ACMEv2 (Automated Certificate Management Management Environment), which finally allows us to receive a wildcard certificate. It was originally planned to start issuing them in January , but the launch was postponed due to the problems found.

Receiving a wildcard certificate is now possible only through DNS challenges, where you need to temporarily create a TXT record of the form _acme-challenge.example.com with a specific value.

Certbot official client and some other clients for automatic renewal of certificates already support staging ACMEv2, production versions are on the way. And to automatically go through the DNS challenge there are already several special Certbot plugins . Of course, soon there will be even more, including for third-party clients.

As a simple example, I manually received a certificate for the domain I own - baur.im, through a browser client https://www.sslforfree.com . If I want to use the same certificate for both sub-domains and for the domain itself, then this must be explicitly indicated: baur.im * .baur.im (the images are clickable):

Going further, it is proposed to go through two DNS challenges.

Add both requested TXT entries to the _acme-challenge.baur.im sub-domain

And you can download a certificate that will be valid for 3 months.

Now these TXT records can be deleted. In this example, for any sub-domain, nginx returns static html: https://habrahabr.baur.im/ .