Support wildcard domains

[natemcmaster]

Update the client usage to support ACME v2 and wildcard domains

[Daniel15]

Supporting wildcard domains requires DNS challenges to be used - You need to add a _acme-challenge.example.com DNS record. I haven't looked at the code for this library yet, but I assume it currently uses HTTP challenges via custom middleware, so wildcard domains may be non-trivial to implement.

[natemcmaster]

I think it's still possible to do this, but it would require having a programmatic API for the DNS provider so we can add a DNS record on the fly. I would be open to adding an abstraction into the library, something like IDnsRecordProvider.AddTxtRecord(string name, string value) , but I've marked this as "help wanted" because I don't plan to implement this myself.

[Daniel15]

@natemcmaster I wonder if you could just reuse win-acme's code, as it already supports this along with a few DNS providers (acme-dns' API, plus Azure, DreamHost and Route53). I do wonder how tightly coupled it is to Windows though... I assume some of the core code could be reused.

[natemcmaster]

Cross-platform support is a must-have. If someone wants to do the legwork here, I'd be willing to sponsor packages like McMaster.AspNetCore.LetsEncrypt.{DnsProvider} which provide support each DNS provider. Again, we'd need an abstraction in the base package which each DNS provider can implement.

[ErcinDedeoglu]

How can I add DNS TXT record manually? Is there a way? I have an application that doesnt serve http content. @natemcmaster

[natemcmaster]

@ErcinDedeoglu do you mean you only want to serve HTTPS traffic? If so, this was addressed with #75 and is available as a beta https://www.nuget.org/packages/McMaster.AspNetCore.LetsEncrypt/0.5.0-beta.185

DNS validation is not currently implemented. If you are interested in helping build this, let me know and I can assign this issue to you.

[ErcinDedeoglu]

First of all thanks for the great library @natemcmaster. This is awesome solution for all. And saving a lot of time.

My enviorement has only 1 ip address and installed IIS server with many websites on it. So I can't use 80 port because Kestrel doesn't have a feature that sharing port with IIS as i know.

So only solution for me, txt record on DNS. I can't validate domain ownership with 80 port. I tried beta version as you mentioned. But this is the case and I couldn't solve it.

[natemcmaster]

@ErcinDedeoglu are you exposing Kestrel on port 443 with HTTPS?

[ErcinDedeoglu]

@natemcmaster IIS using 443 port for other websites. So I changed web api/signalr port to 8080 with https.

[natemcmaster]

@ErcinDedeoglu - for your IIS websites, you'll need to use a different project (see https://github.com/natemcmaster/LetsEncrypt#aspnet-core-with-iis for an explanation.) For your traffic on port 8080, this project also can't help until this DNS feature is implemented. According to the Let's Encrypt protocol, they will only do HTTP and TLS-ALPN challenge verification on ports 80 and 443, respectively, leaving DNS verification as your only option.

The most recent release includes what was the most upvoted features (TLS ALPN and auto-renewal). With those out the door, this is probably the next-most requested feature. I'd be happy to have help implementing, if you're interested. If not, I'll look into it when I get free time (which is scarce...like it is for most parents these days.)

[bnssoftware]

Yes, need this as well. We use AWS Route53 which has an API so we can easily add a TXT record.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

[stale[bot]]

Closing because there was no response to the previous comment. If you are looking at this issue in the future and think it should be reopened, please make a comment and mention natemcmaster so he sees it.

[JessicaMulein]

Hi @natemcmaster ! I made a new issue referencing this (#217)

[rwkarg]

This is more of an ACME question probably, but it seems like an HTTP challenge to _acme-challenge.example.com (or any other random prefix segment) should work if you have an appropriate wildcard DNS record already set up.

[natemcmaster]

FYI this will be added in the next release thanks to @klowdo via https://github.com/natemcmaster/LettuceEncrypt/pull/283