[watermelon0]

Hard in what way? Using my favorite client/library (https://go-acme.github.io/lego/) I can generate wildcard cert with:

  lego \
      --email="info@example.com" \
      --accept-tos \
      --path="./ssl" \
      --domains="*.example.com" \
      --dns="route53"

(AWS credentials need to be available in the environment)

[founderling]

So you need to execute 3rd party software on your machine and let it fiddle with your DNS settings?

Personally, I would not want to do that.

[cyphar]

They now support wildcards, but in order to verify you are authorised to get a wildcard certificate you need to be able to pass the DNS challenge. Unfortunately there simply isn't another universal, trust-less (and automatable) way of verifying that someone owns a domain -- other than DNS.

However, because the DNS check doesn't require writing to the webroot, you could run this on any server you like and then distribute the certificate to your edge nodes (meaning your edge nodes don't need to have access to write to your DNS). Some clients even have scripting hooks which could make this significantly easier.

(I assumed the "store my cloudflare API keys on my web host" aspect was your main concern with this method -- not necessarily who wrote the client because there are plenty of other clients.)

[pas]

Hm, doesn't Caddy support wildcards without DNS auth? It seems that they work around this by generating a few random subdomains and verify those.

[aroch]

From the Caddy release announcement that supports wildcards[1]:

"This release introduces support for wildcard certificates, a new offering from Let's Encrypt. Getting a wildcard certificate requires enabling the DNS challenge. Fortunately, that is extremely simple with Caddy, and it works with over 20 different providers!"

1: https://caddyserver.com/blog/caddy-0_10_12-released

[cyphar]

Caddy requires configuring their DNS provider as well[1]. LetsEncrypt (and ACMEv2) only allow you to get a wildcard if you use the dns-01 challenge.

[1]: https://caddyserver.com/docs/automatic-https#wildcards

[jlgaddis]

Nope, the protocol is well-documented so that anyone who wants to reinvent the wheel can do so.

[chme]

Well, you could use certbot (https://github.com/certbot/certbot, see https://certbot.eff.org/docs/using.html#dns-plugins), which is from EFF, so not exactly third party, to do that.

[StavrosK]

And that's fine. I just let my http server do it automatically.

[_0w8t]

In this case the third-party software implements a public protocol, comes with a full source written in a very readable language and is sufficiently small to permit a casual review.

[isostatic]

Then write your own acme client, it's not a terrible burden -- although I've only personally done it with the normal URL validation method