Let's Encrypt started issuing wildcard certificates

Let's Encrypt has crossed an important milestone - since March 14, everyone can get a free SSL / TLS certificate of the form * .example.com . An example of an installed certificate:

https://subdomain.baur.im
https://any-text.baur.im

Yesterday, Let's Encrypt officially announced the launch of ACMEv2 (Automated Certificate Management Environment), which finally allows you to get a wildcard certificate. It was originally planned to start issuing them in January , but the launch was postponed due to problems found .

Obtaining a wildcard certificate is now possible only through the DNS challenge, where you need to temporarily create a TXT record of the form _acme-challenge.example.com with a specific value.

The official Certbot client and some other clients for automatic certificate renewal already support staging ACMEv2, the production version is coming. And to automatically pass the DNS challenge there are already several special Certbot plugins . Of course, soon there will be more more, including for third-party customers.

As a simple example, I manually received a certificate for the domain I own - baur.im, through a browser client https://www.sslforfree.com . If I want to use the same certificate for both sub-domains and the domain itself, then this must be specified explicitly: baur.im * .baur.im (pictures are clickable):

Going further, it is proposed to pass two DNS challenge.

Add both requested TXT records to the _acme-challenge.baur.im sub-domain

And you can download a certificate that will last 3 months.

Now these TXT records can be deleted. In this example, for any sub-domain, nginx returns a static html:https://habrahabr.baur.im/ .