Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question: How to issue wildcard certificates rather than exact subject name in OnDemand? #280

Closed
hazycora opened this issue Mar 29, 2024 · 5 comments
Assignees
Labels
question Further information is requested

Comments

@hazycora
Copy link

hazycora commented Mar 29, 2024

What is your question?

I'm wanting to use OnDemand, and be able to handle unknown domains for which I may not have DNS access, but also manage subdomains multiple levels deep on another domain I do have access to. On the domain I do have access to, I'd like to use wildcard subdomains any chance I can, so that I get certificates which can be used elsewhere while I'm at it. This is particularly useful in environments where domains might be of the format [commit/branch].[repo].[username].example.com - issuing more certificates constantly would hit ratelimits often if used by many users, if this can at all be optimised with wildcards that would be preferable. Is this possible currently?

Example

  • A request for example.com -> obtain cert for example.com
  • A request for abc.example.com -> obtain cert for *.example.com
  • A request for xyz.abc.example.com -> obtain cert for *.abc.example.com (we cannot use nested wildcards)
  • A request for some.other.domain.tld -> obtain cert for some.other.domain.tld

...etc.

What have you already tried?

Looking at the code for certmagic, it seems like I could do something like this if I could just edit getNameFromClientHello, but if there's a better way to do this I'd rather do that than having to edit this codebase. Alternatively I could use my own OnDemand implementation but I'd rather have the stability of using what's been made here than needing to maintain my own implementation.

I've been looking around for a while to find a way to do this at all without a Ton of extra work, and haven't found much yet, so currently I've yet to actually try anything.

@hazycora hazycora added the question Further information is requested label Mar 29, 2024
@mholt
Copy link
Member

mholt commented Mar 29, 2024

I think I had this on a TODO list a while ago. I'll try to revisit it soon.

@mholt mholt self-assigned this Mar 29, 2024
@hazycora
Copy link
Author

I'm using a bodge, adding a ManipulateClientHelloName function for this. here's an example of how it could be used:

magic.ManipulateClientHelloName = func(name string) string {
    if canUseWildcard(name) {
        name = strings.TrimSuffix(name, "." + PAGES_DOMAIN)
        parts := strings.Split(name, ".")
        parts[0] = "*"
        name = strings.Join(parts, ".") + "." + PAGES_DOMAIN
    }
    return name
}

I'm not recommending this be used here by any means but as a stopgap it's working for me for now, though longterm I'd prefer this project be able to accommodate this situation

mholt added a commit that referenced this issue Apr 8, 2024
This makes it possible to replace cert subjects with wildcards, for example

Related: #280
@mholt
Copy link
Member

mholt commented Apr 8, 2024

@hazycora I've just committed b29d2a0 which adds a SubjectTransformer field to the certmagic.Config struct. In my tests I used it similarly to you:

magic.SubjectTransformer = func(ctx context.Context, domain string) string {
	if !strings.HasPrefix(domain, "*.") {
		parts := strings.Split(domain, ".")
		parts[0] = "*"
		return strings.Join(parts, ".")
	}
	return domain
}

Want to give that a shot and see if that does what you need?

Note that my implementation affects all (I think all?) code paths that manage certificates, including NON-on-demand configs, but it can, of course, be used with on-demand configs as well. Let me know what you think!

@hazycora
Copy link
Author

Sorry for the wait-
This works, been using it for the past two months without a problem. I think this serves this use-case just fine so I'll close. Thanks!

@mholt
Copy link
Member

mholt commented Jun 11, 2024

Excellent! Thanks for the update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants