Skip to content

Email: admin@alshowto.com

Al's Down`N Dirty KB

Al's Down`N Dirty KB

Get`Er Done

  • Home
  • Networking
  • Domain
  • Let’s Encrypt and Sub-Doman Wildcards

Let’s Encrypt and Sub-Doman Wildcards

Posted on October 11, 2022October 13, 2022 By admin No Comments on Let’s Encrypt and Sub-Doman Wildcards
Domain, Let's Encrypt
acme Let’s Encrypt Wildcards

For simplicity, I have been using Cloudflare to manage my DNS. Also, I use pfSense as my router. So, I installed the acme cert renewer in pfSense. However for this post, I am focusing on only concerned with acme and Cloudflare setup of DNS to generate certs for all my domain and sub-domains. Domain is easy there are plenty of content on setting up domain cert generation between acme and cloudflare. This is not true for understanding sub-domains. So, this article will focus on getting that working.

Step 1 – Setup a CNAME

First, that seems simple enough if you know what you are doing. However, it took me a few days to understand the logic of it in Cloudflare.

  1. Understand Name and Content
    • Name – is the sub domain that is going to be aliased by the top level domain. For example, dmz.alshowto.com would be the sub domain and I want it aliased to txt on alshowto.com.
      • Set to _acme-challenge.dmz then Cloudflare completes with the TLD(Top Level Domain).
    • Content is the pointer actual record that will contain the text. In my case below it is
      • I set to acme.alshowto.com
      • when acme.sh run it creates a TXT at acme.ashowto.com containing a generated one time key very simular to how it normally uses _acme-challenge for normal domains only it uses my unique name I specified. Note: this helps with multiple domains as I setup each one unique and that way there will not be multiple _acme-challenge’s during renewal of certs.
    • This is setup this way to address the –domain-alias flag in achme.sh real --domain-alias example for dmz and ad sub domains
  2. Configure acme.sh correctly with all Cloudflare keys
    • Mostly beyond the scope of this article. I will show the key elements, but will not elaborate on them as there are may articles to understand this process out there. Also, I will list them below.
    • Need to create at least two domain entries one for *.sub.domain.com and sub.domain.com.
    • Example of acme.sh
    • /usr/local/pkg/acme/acme.sh --issue --domain '*.ad.alshowto.com' --domain-alias 'acme2.alshowto.com' --dns 'dns_cf' --domain 'ad.alshowto.com' --domain-alias 'acme2.alshowto.com' --dns 'dns_cf' --home '/tmp/acme/real-ad.alshowto.com/' --accountconf '/tmp/acme/real-ad.alshowto.com/accountconf.conf' --force --reloadCmd '/tmp/acme/real-ad.alshowto.com/reloadcmd.sh' --log-level 3 --log '/tmp/acme/real-ad.alshowto.com/acme_issuecert.log'

Other Sources of Info

So as promised, I am going to provide a list of resources to help with this endevor.

  • acme related info
    • https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode – alias mode info.
    • https://letsencrypt.org/ – general lets encrypt info.
  • https://www.danielcolomb.com/2019/08/29/creating-wildcard-certificates-on-pfsense-with-lets-encrypt/ – good general info an acme in pfsense.
  • https://docs.netgate.com/pfsense/en/latest/packages/acme/index.html – pfsense acme help
  • https://dan.langille.org/2019/02/01/acme-domain-alias-mode/ – more info on alias mode and Cloudflare.

Related

Tags: acme.sh cloudflare Let's Encrypt pfSense

Post navigation

❮ Previous Post: vpncloud on Debian 11
Next Post: pfSense SSH issues ❯

You may also like

Let's Encrypt
Proxmox Manual Update Certs
October 20, 2022

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Al's Down`N Dirty KB.

Theme: Oceanly Premium by ScriptsTown