Skip to content
1 min read

Wildcard TLS via DNS-01

Obtaining and renewing a wildcard Let's Encrypt certificate without exposing anything.

SecureReliable

The problem

A platform with many subdomains, most of them private. The classic ACME challenge (HTTP-01) validates each name by serving a file on the public HTTP port. Something must therefore be exposed for every subdomain, including those that have no business being on the Internet. And every issued certificate records its name in the Certificate Transparency logs, which are public and continuously scanned: issuing one certificate per service amounts to publishing the map of your infrastructure.

The pattern

The DNS-01 challenge proves control of the domain rather than of a web server. The ACME client sets a temporary TXT record (_acme-challenge.<domain>) through the registrar’s API (OVH), Let’s Encrypt verifies it, the certificate is issued. Consequences:

The pitfalls

When not to use it

A single public domain, no private subdomains, no reliable DNS API: HTTP-01 is simpler and sufficient. DNS-01 is worth its cost as soon as there is something private to protect or a wildcard to cover.