Wildcard DNS & Let's Encrypt Prod certs - are subdomains publicly exposed?
-
I'm preparing all my domains to use Wildcard DNS instead of DigitalOcean/Manual because I intend on switching to Contabo soon. I'm interested in hiding the subdomains from being listed as mentioned in this CR doc. I can't use "Wildcard DNS + Let's Encrypt Prod - Wildcard" because CR says:
Wilcard cert requires a programmable DNS backendHowever, I can use "Wildcard DNS + Let's Encrypt Prod". Am I out of luck in hiding my subdomains from the "certificate transparency log"?
-
@humptydumpty That's right. No way to get wildcard certs with wildcard DNS.
To get a wildcard certificate, one needs to be able to program/automate the DNS. Let's Encrypt (acme) protocol requires one to programmatically setup TXT entries as part of getting the certificate. With a wildcard DNS, we have to now way to automatically setup those entries.
The protocol for normal certificates has a "http" based flow which allows it to work with a single wildcard entry.
