Topic: Wildcard and dehydrated

[Rudi]

I am trying to solve an old quest. With letsencrypt V2 now fully embedded, it whould be easy to get also a Wildcard certificate.
If only i knew how to stop the Script running for a Minute or two when it Challenges a *.Domain.TLD.
and there whould need to be an Output stating the token Value i need to publish via my DNS control.
That could look like that:

>  dehydrated -c -t dns-01
...
> ... many Lines as usual ..
... until:
>  Handling authorization for *.bigbold.net
> Token to be used with TXT Record in DNS: "eqigLWFBEV9Odlsr8ptYiTjDZzPmVM7s20U0RHTwAGw"
> Script Paused
> Continue Y/N

And as soon as i did my DNS Change i return and click Y
...
How could i/we make that possible?
I know how to code PHP but Perl is not my World, ...
Can Somebody please pick up my Idea and tell me where i need to change and what!?
I then could test it on my Server and as soon as it works return the a List of Changes i made to you so others could also use this Idea!?

Thanks!!
Rudi

[ReetP]

Tell us what the problem is you are actually trying to fix (see the "XY problem"), and describe more of your setup.

Why do you need a wildcard certificate?

What problem would it solve?

Why doesn't the current system work for you?

[Rudi]

Tell us what the problem is you are actually trying to fix (see the "XY problem"), and describe more of your setup.

Why do you need a wildcard certificate?

What problem would it solve?

Why doesn't the current system work for you?

I have a Server running Koozali SME 10.1
On this Server i have a Project depending on a ibay and subdomain per Client.
Additionally there are a few supporting Domains on this server as well.

I do use dehydrate for Certificates but this is limited to 100 Domains per Certificate.
So instead of having 4 Supporting domains and a Maximum of 96 Client-Subdomains, it whould be much more practical to just have the 4 Domains plus one Wildcard.

I already checked, that i need to use my DNS Provider to set the TXT Entry for the nessecary dns-01 request to get the Wildcard Certificate. But dehydrate creates the actual Key each time live and new.
So i cannot set the TXT Record in Time.

So whould the Script pause at a Wildcard Domain, as i suggested, all of this whould work just fine.
Im just do not know how to code something like that in Perl and i have no idea in which files i whould need to work too.
 

[Jean-Philippe Pialasse]

I think you should reference this bug that should be in fact 2.

1 - need to have multiple cert supported because reaching the limit of 100

2- need to support dns validation
 

https://bugs.koozali.org/show_bug.cgi?id=11796

I know how to code PHP but Perl is not my World, ...

well you are lost there because dehydrated actually uses bash, not perl.

1/ for the multiple certificates
you could simply disable the 90 or so domains from lets encrypt and only enable the 4 you need.  LE contrib allows to ask for all host/domains, all domains or only selected host and domains.
then you could either use the sme way to add a custom template fragment to /etc/dehydrated/domains.txt with a line containing only your wildcard or your list of 90 subdomains

2/ for the dns part

you should first check what is your your dns provider and what hook you should use, then configure the needed tokens on its website. then configure the appropriate hook. then call it in the basic hook script we use.
you could configure the dns challenge for one domain only by reading the documentation of dehydrated whic state you can add a dropin config in /etc/dehydrated/certs/yourdomain/config and say there you want to use dns validation.

remember that our dehydrated configuration has been thought dor standalone automatic renewall.  you can not pause a cron waiting you to inpit something elsewhere and resume the script.
if you want to renew manually then create your own config and domain.txt and point them using manually the cli to renew manually those domains.

[Rudi]

I think you should reference this bug that should be in fact 2.

1 - need to have multiple cert supported because reaching the limit of 100

2- need to support dns validation
 

https://bugs.koozali.org/show_bug.cgi?id=11796
well you are lost there because dehydrated actually uses bash, not perl.

1/ for the multiple certificates
you could simply disable the 90 or so domains from lets encrypt and only enable the 4 you need.  LE contrib allows to ask for all host/domains, all domains or only selected host and domains.
then you could either use the sme way to add a custom template fragment to /etc/dehydrated/domains.txt with a line containing only your wildcard or your list of 90 subdomains

2/ for the dns part

you should first check what is your your dns provider and what hook you should use, then configure the needed tokens on its website. then configure the appropriate hook. then call it in the basic hook script we use.
you could configure the dns challenge for one domain only by reading the documentation of dehydrated whic state you can add a dropin config in /etc/dehydrated/certs/yourdomain/config and say there you want to use dns validation.

remember that our dehydrated configuration has been thought dor standalone automatic renewall.  you can not pause a cron waiting you to inpit something elsewhere and resume the script.
if you want to renew manually then create your own config and domain.txt and point them using manually the cli to renew manually those domains.

Hi Jean-Philippe,

thank you for your help. but I do not understand the explanation on how i can tell dehydrate which key to use for an dns-01 call. Can you explain it to me for dummies?

I know how to set an DNS Entry with my Domainprovider and his system posts any of my change within a Minute or two. And i have no problem on getting a new certificate by hand every 3 Month, no need for the Cronjob here for me

But i think i will want to go this way: I try to create an extra Template for a new bash script. I know they can pause because they do it in Cron when installing anything, right. So i could try to find the Lines doing this and implementing them in the new script. My Method of calling the actual Script:
# dehydrated -c -t dns-01
works in principle, but it does not pause ... what clearly whould end fatal for a cronjob ... but whould work if called ba hand. so what if i could add a Parameter when calling by hand? for example:
# dehydrated -c -t -pause dns-01

OR in the bash Script itself, it could do something like this: if called Method == "dns-01" AND if Domain HAS * then "Pause" and output "Token" !?!

Oh, and by the way, i do not see this as a bug, i see it as a new feature
Thanks, Rudi
   

[ReetP]

IIRC wildcards weren't even supported when we wrote this.

As JP pointed out, you have a bug for wildcards already so follow up on there. No point in keeping asking here.

You can add a new one for DNS.

Note. There are other competing priorities with limited devs - moving to git, SME 11 - which means this isn't top of the pile.

As I said on the bug, patches welcome, but some of this is non-trivial.

Either way, if you are trying to do this you need really need to acquire some skills, even for testing. The only thing you need perl for is templates, and that is simple code with lots of templates as examples plus a wiki.

You also need to go and read the dehydrated documentation and code. And then look at the SME implementation including action scripts etc. If you don't understand how it works you can't fix anything.

I said before to talk to us on Rocket if you are developing. You may get more help as it is an easier place to discuss code. But right now no one is going to write it for you.