Wildcard cert option about docker-nginx-certbot HOT 6 CLOSED

The scripts will issue three separate certificates if you create three separate config files for each server block, however, if you define all of the server blocks inside the same file only one certificate file will be created with all of the different names included in the list of alt names.

In the first case you will make more certificate requests towards Let's Encrypt, so if you have more than 50 separate domain names that you update multiple times per week you will run into rate limits. You may add up to 100 alt names to each certificate file, so if you combine files you can update up to 5000 domains per week, which I believe is quite a lot. If you use more than that a wild card certificate would be required, but I don't see that being a realistic usecase for this image.

A wildcard certificate would be valid for all subdomains, which would mean that you would only need to handle one file (which is much easier if you aren't using these scripts which make automatic requests for you). A drawback of wildcards is that a *.example.com certificate would be valid for sub.example.com but not sub.sub.example.com, since this would require a *.*.example.com certificate (but double * in a certificate is not valid, so you would have to make a *.sub.example.com certificate instead). This image handles an arbitrary amount of subdomains by explicitly including them in each request.

Furthermore, it might be a tiny bit more secure to have a certificate issued to only those domain names that you actually have, instead of accepting any and all subdomains.

from docker-nginx-certbot.

Just to give an update to this: we now actually support wildcard domains as well. So if anyone runs into this issue in the future it is now fixed :)

from docker-nginx-certbot.

Hi pradeepvishwakarma,

As of now this image does not support wildcard domains.
The scripts written are designed so you should not need to create a wildcard certificate, since they will make proper certificate requests for each domain you have configured. So from my perspective a wildcard certificate would not add any benefit for what this image offers, however, is there a usecase of wildcards that I am not aware of?

from docker-nginx-certbot.

I was wondering the same.. I'm just getting into the topic but if I'm running e.g. 'blog.example.com', 'api.example.com' and 'www.example.com' on the same server, the script would currently issue three distinct certificates for each sub-domain instead of one for all *.example.com domains? Not sure sure to what extend this is an issue in practice.

from docker-nginx-certbot.

That makes sense, thanks for elaborating @JonasAlfredsson !

from docker-nginx-certbot.

Since I have not seen any more people asking for this feature I will close this issue with "wont do" for now. This might change in the future if enough demand is encountered :)

from docker-nginx-certbot.