[RFE] Support for wildcars

[e-minguez]

It seems letsencrypt now supports wildcards so maybe the controller can handle the renewal of the wildcard and modify the router secret.

[tnozicka]

wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate

requiring DNS validation only is not an easy start for us as that needs #41 first

[tnozicka]

But yes, Router is the main target here with wildcard support.

We also need client (library) support for v2 (golang/go#21081)

[djdevin]

assuming that verification works, what are the chances of having this work on multiple routes with the same certificate? i.e. not just one route that is a wildcard route

example, we have a ton of apps that use the default route so there's abc.example.com, def.example.com, etc

right now we have to request individual certificates for all of those, which works great. but we frequently exhaust limits since the base "account" to Let's Encrypt is the same

[computate]

It is possible to generate wildcard certs with certbot/letsencrypt, I do it every 3 months. I did it a few days ago. You just have to point it to an updated server like this one: https://acme-v02.api.letsencrypt.org/directory

get latest certs from certbot from DNS challenges.

sudo certbot -d example.com -d *.example.com -d *.apps.example.com -d example.org -d *.example.org -d *.apps.example.org –manual –preferred-challenges dns certonly –server https://acme-v02.api.letsencrypt.org/directory

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[tnozicka]

/remove-lifecycle stale
/lifecycle frozen

[tnozicka]

fyi we will be switching to acme v2 this month I think, we might get some default DNS provides with new library

syncing the secret from another route/secret in the same namespace is an option, but I'd have to think it through when we switch and have wildcards

[Maniket-dev]

Hi @tnozicka - is this openshift ACME controller implementation (https://github.com/tnozicka/openshift-acme ) only for 'Let's encrypt' CA or we can use it for other Certificate Authority also ? Thank you

[tnozicka]

It works with any CA supporting ACME protocol, Let's Encrypt is just one of the providers.

[Maniket-dev]

Thank you @tnozicka . Just one query here , in case of a private CA , do we need to just make changes to below config map data and what is directory URL here.....

"cert-issuer.types.acme.openshift.io": '{"type":"ACME","acmeCertIssuer":{"directoryUrl":"https://acme-v02.api.letsencrypt.org/directory"}}'