You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm wanting to use OnDemand, and be able to handle unknown domains for which I may not have DNS access, but also manage subdomains multiple levels deep on another domain I do have access to. On the domain I do have access to, I'd like to use wildcard subdomains any chance I can, so that I get certificates which can be used elsewhere while I'm at it. This is particularly useful in environments where domains might be of the format [commit/branch].[repo].[username].example.com - issuing more certificates constantly would hit ratelimits often if used by many users, if this can at all be optimised with wildcards that would be preferable. Is this possible currently?
Example
A request for example.com -> obtain cert for example.com
A request for abc.example.com -> obtain cert for *.example.com
A request for xyz.abc.example.com -> obtain cert for *.abc.example.com (we cannot use nested wildcards)
A request for some.other.domain.tld -> obtain cert for some.other.domain.tld
...etc.
What have you already tried?
Looking at the code for certmagic, it seems like I could do something like this if I could just edit getNameFromClientHello, but if there's a better way to do this I'd rather do that than having to edit this codebase. Alternatively I could use my own OnDemand implementation but I'd rather have the stability of using what's been made here than needing to maintain my own implementation.
I've been looking around for a while to find a way to do this at all without a Ton of extra work, and haven't found much yet, so currently I've yet to actually try anything.
The text was updated successfully, but these errors were encountered:
I'm not recommending this be used here by any means but as a stopgap it's working for me for now, though longterm I'd prefer this project be able to accommodate this situation
Want to give that a shot and see if that does what you need?
Note that my implementation affects all (I think all?) code paths that manage certificates, including NON-on-demand configs, but it can, of course, be used with on-demand configs as well. Let me know what you think!
What is your question?
I'm wanting to use OnDemand, and be able to handle unknown domains for which I may not have DNS access, but also manage subdomains multiple levels deep on another domain I do have access to. On the domain I do have access to, I'd like to use wildcard subdomains any chance I can, so that I get certificates which can be used elsewhere while I'm at it. This is particularly useful in environments where domains might be of the format [commit/branch].[repo].[username].example.com - issuing more certificates constantly would hit ratelimits often if used by many users, if this can at all be optimised with wildcards that would be preferable. Is this possible currently?
Example
...etc.
What have you already tried?
Looking at the code for certmagic, it seems like I could do something like this if I could just edit
getNameFromClientHello
, but if there's a better way to do this I'd rather do that than having to edit this codebase. Alternatively I could use my own OnDemand implementation but I'd rather have the stability of using what's been made here than needing to maintain my own implementation.I've been looking around for a while to find a way to do this at all without a Ton of extra work, and haven't found much yet, so currently I've yet to actually try anything.
The text was updated successfully, but these errors were encountered: