3

I'm deploying a PHP app in the Swisscom Cloud listening to a wildcard route (*.example.com).

With Let's Encrypt is no problem to secure ssl routes. It's also no problem to create a wildcard route like *.mydomain.com for an app in the Swisscom Cloud.

The Question: Is it possible to create secure wildcard routes using my own wildcard certificate (I think Let's Encrypt does not support wildcards) ? Can this be done with the CLI?

rokfor
  • 107
  • 11

1 Answers1

4

For secure SSL routes, we rely completely on Let's Encrypt - there is no way to bring your own certificate and key. This is also due to security reasons (the key should never leave the machine it was generated on).

Unfortunately, LE does not support wildcard certificates at the moment:

Will Let’s Encrypt issue wildcard certificates?

We currently have no plans to do so, but it is a possibility in the future. Hopefully wildcards aren’t necessary for the vast majority of our potential subscribers because it should be easy to get and manage certificates for all subdomains.

https://community.letsencrypt.org/t/frequently-asked-questions-faq/26

I suggest you create a certificate for each subdomain. If you would like to automate this, you can directly speak to the API: https://api.lyra-836.appcloud.swisscom.com/api-doc/#!/Certification_Processes/put_custom_certifications_create

Edit:

Let’s Encrypt will begin issuing wildcard certificates in January of 2018

https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Tom
  • 4,160
  • 2
  • 21
  • 43
Matthias Winzeler
  • 941
  • 5
  • 5
  • Well, that keeps an app limited to a defined amount of routes. I thought it might be possible with the cli and adding the certificate to the manifest (http://bosh.io/docs/trusted-certs.html). – rokfor Aug 25 '16 at 07:26
  • Yes, you're limited to 20 certificates/routes per week per domain (https://letsencrypt.org/docs/rate-limits/). But I guess that's sufficient for most use cases. The link you're referring to is something different: It installs certificates on BOSH level (the VMs that CloudFoundry runs on, your app runs in a container on top) - and it puts only the certificate in the truststore. This truststore is then used to verify TLS certificates when establishing TLS connections from a client perspective. Installing key and certificate for the server part of a TLS connection is a different thing. – Matthias Winzeler Aug 26 '16 at 08:03