How to Config for On-Demand Wildcard Certificates

[rjbasitali]

What is your question?

I have a proxy server which is using certmagic to issue on-demand TLS certificates, the on-demand function checks cache/database to decide if the domain is allowed or not so the TLS certificate is issued or denied, which works perfectly fine.

Now, I have to add support for issuing on-demand wildcard certificates and I'm using the same on-demand function to decide if the domain name is allowed to have a wildcard certificate and get the dns provider config from the cache/database for it so I could use the appropriate implementation of libdns (e.g. godaddy) to issue the wildcard using the dns challenge.

What have you already tried?

I've tried calling the following function from my on-demand function if a domain is allowed to have a wildcard, but it doesn't trigger anything (creation of certificate or errors):

func wildcard() error {
        config := certmagic.NewDefault()

	dnsACME := certmagic.NewACMEIssuer(config, certmagic.ACMEIssuer{
		DNS01Solver: &certmagic.DNS01Solver{
			DNSManager: certmagic.DNSManager{
				DNSProvider: &godaddy.Provider{
				        APIToken: apiKey,
			        },
				Logger:      srv.Logger,
			},
		},
		Email:                   cfg.CertEmail,
		CA:                       cfg.CertCA,
		Agreed:                  true,
		DisableHTTPChallenge:    true,
		DisableTLSALPNChallenge: true,
		Logger:                  srv.Logger,
	})

	config.Issuers = []certmagic.Issuer{dnsACME}

	config.OnDemand = &certmagic.OnDemandConfig{
		DecisionFunc: func(ctx context.Context, name string) error {
			return nil
		},
	}

        return config.ManageAsync(context.Background(), "*.xyz.com")
}

In the on-demand function I return an error errors.New("managing wildcard certificate async") so it doesn't continue issuing TLS certificate for abc.xyz.com and instead create a wildcard certficate in the above function *.xyz.com.

Bonus: What do you use this package for, and does it help you?

I'm using it in a custom reverse proxy written in Go and it has really helped me for the past years, as this reverse proxy also needs to provision the TLS certificates.

[mholt]

I guess I don't understand a few things.

Now, I have to add support for issuing on-demand wildcard certificates

What is your use case for on-demand wildcard certificates? That seems unusual to me.

I've tried calling the following function from my on-demand function if a domain is allowed to have a wildcard, but it doesn't trigger anything

That function starts managing a wildcard domain asynchronously with on-demand enabled, which means that it won't "trigger" anything until a TLS server associated with that config receives a handshake for a domain name in its SNI, but the SNI will never be a wildcard.🤷‍♂

[rjbasitali]

@mholt

Thanks for replying.

Regarding:

What is your use case for on-demand wildcard certificates? That seems unusual to me.

We provide managed hosting for a software that needs wildcard domains to be pointed to our proxy (that handles TLS handshake/termination), and anyone who's subscribing to our services can add a wildcard DNS record on their domain (which points to the proxy) and start using our services.

That function starts managing a wildcard domain asynchronously with on-demand enabled, which means that it won't "trigger" anything until a TLS server associated with that config receives a handshake for a domain name in its SNI, but the SNI will never be a wildcard.🤷‍♂

Does it mean that we cannot manage a wildcard certificate with on-demand enabled? And the SNI won't be a wildcard it will be a subdomain, how to make SNI a wildcard instead (knowing that the SNI/subdomain should be a wildcard instead).

[mholt]

Does it mean that we cannot manage a wildcard certificate with on-demand enabled?

There is a way, but you need to use an experimental API, SubjectTransformer: https://pkg.go.dev/github.com/caddyserver/certmagic#Config.SubjectTransformer

Let me know if that works for you 👍

[rjbasitali]

@mholt

Thanks, let me try it.