First, congrats, this is great news! There's a lot of use cases out there that require a wildcard cert or work far better with them.
> It is our intent to transition all clients and subscribers to ACMEv2, though we have not set an end-of-life date for our ACMEv1 API yet.
Please don't do this. It will break millions of sites needlessly. Most installations of lets encrypt plugins aren't going to auto update to v2. A lot of us are also using custom v1 code for various reasons that may not be easy to change.
The preferable end-of-life date for ACMEv1 (sparing any existential security issues) should be never. Otherwise you will be executing a Geocities-sized web meltdown every time you phase out a version of the API.
One of the wonderful aspects of this, that no-ones pointed out yet, is that these can used for INTERNAL domains, without you having to run your own internal CA.
i.e. lets say your internal network DNS domain is 'my-company-lan.com' - all you have to do is ensure that 'my-company-lan.com' is also registered in public DNS, and then you can secure ALL your internal services using a free LE wildcard cert, that's automatically trusted by all platforms and browsers. For some companies that's going to be a BIG cost and resources saving.
 but not actually used for any public facing services.
For anyone wondering how to actually obtain a wildcard cert this way, here's the quick version:
1. Use acme.sh: https://github.com/Neilpang/acme.sh
If your DNS provider has a supported api, you may be able to automatically publish the DNS records required using a slightly different command - see here: https://github.com/Neilpang/acme.sh/tree/master/dnsapi
acme.sh --issue -d *.example.com --dns
Don't forget to Donate:
Also the EFF:
The amount of money I've paid for this... I recon some of these providers are going under soon?
DNS providers and domain name registration companies are probably going to get pestered about API access for updating TXT DNS records now... :)
Now here's to hoping that Heroku supports this soon. That will to mean I can a last migrate a number of apps that require wildcard domains to their platform.
This is great news! Let's Encrypt has helped me secure many of my own boxes without having to maintain my own CA, very happy to see them grow.
Can anyone list any negatives of Let's Encrypt? I've been using it since the start and just can't find any practical downsides.
I do hope GitHub employs this for rolling out https for Pages sites using custom domains too.
Great news, but interesting to see that they still recommend securing individual domain names. I imagine this is for security purposes?
Hi, I made a video on how to implement Wildcard Certificate for your subdomains. I hope someone finds it useful :) https://www.youtube.com/watch?v=zvg8IXAcUwo&feature=youtu.be
Thank you letsencrypt team! Really appreciate all the hardwork to get this out.
HTTPS vs HTTP usage: https://netmarketshare.com/report.aspx?options=%7B%22filter%...
On the face of it wildcard certs seem easy to implement - just match anything in place of the * - but clearly that's not the case as it took years to complete, anyone mind sharing some of the subtle challenges and complexities involved
I just wished there was a Windows client that just works with IIS. Every time I try, it just errors out and gives me headaches (certify, Let's Encrypt Simple Windows Client, etc.)
Shameless plug, I created sewer, which is a letsencrypt client that you can use both as a (minimalistic) python library or as a command line application. And I just added ACME v2 support. Check it out,
I did not see it on the forum, but seeing that the wildcard feature requires DNS-01 challenge for getting the certificates, does it mean automatic renewal is impossible without DNS api ? (or is it possible to renew without the dns challenge ? )
Does the DNS method require proving you control the IP space for the domain, or is a DNS TXT really the only thing you need to generate a certificate?
Can this be used for multi-level subdomains?
This is great, congrats, you are really doing a great service to the community.
Wonderful news ! Looking forward to using the Wildcard SSLs.
Excellent! Wildcard certificates are getting deployed tomorrow.