acme Let's Encrypt Wildcards

For simplicity, I have been using Cloudflare to manage my DNS. Also, I use pfSense as my router. So, I installed the acme cert renewer in pfSense. However for this post, I am focusing on only concerned with acme and Cloudflare setup of DNS to generate certs for all my domain and sub-domains. Domain is easy there are plenty of content on setting up domain cert generation between acme and cloudflare. This is not true for understanding sub-domains. So, this article will focus on getting that working.

Step 1 - Setup a CNAME

First, that seems simple enough if you know what you are doing. However, it took me a few days to understand the logic of it in Cloudflare.

  1. Understand Name and Content
    • Name - is the sub domain that is going to be aliased by the top level domain. For example, would be the sub domain and I want it aliased to txt on
      • Set to _acme-challenge.dmz then Cloudflare completes with the TLD(Top Level Domain).
    • Content is the pointer actual record that will contain the text. In my case below it is
      • I set to
      • when run it creates a TXT at containing a generated one time key very simular to how it normally uses _acme-challenge for normal domains only it uses my unique name I specified. Note: this helps with multiple domains as I setup each one unique and that way there will not be multiple _acme-challenge's during renewal of certs.
    • This is setup this way to address the --domain-alias flag in real --domain-alias example for dmz and ad sub domains
  2. Configure correctly with all Cloudflare keys
    • Mostly beyond the scope of this article. I will show the key elements, but will not elaborate on them as there are may articles to understand this process out there. Also, I will list them below.
    • Need to create at least two domain entries one for * and
    • Example of
    • /usr/local/pkg/acme/ --issue --domain '*' --domain-alias '' --dns 'dns_cf' --domain '' --domain-alias '' --dns 'dns_cf' --home '/tmp/acme/' --accountconf '/tmp/acme/' --force --reloadCmd '/tmp/acme/' --log-level 3 --log '/tmp/acme/'

Other Sources of Info

So as promised, I am going to provide a list of resources to help with this endevor.

Leave a Reply

Your email address will not be published. Required fields are marked *