I have been pulling my hair out the last few days trying to figure out how to get an auto renewing SSL cert for my host + wildcard. I am running Debian 11, ispconfig with nginx. I've tried all kinds of scripts and ways around it but I can't seem to get it working properly. I can get an SSL cert for my site, and even wildcard, but I can't get it to auto renew. If there is a tutorial or anything that I could be directed to, that maybe I somehow missed, that would be very helpful.
I assume certificate is not from Let's Encrypt since I think Let's Encrypt does not support wildcard certificates? So where did you get that certificate? You should show what you have done so far and what has happened. What is in the logs? What client are you using for certificates, if any?
They do support wildcard certificates. Not sure about ISPC compatibility on that subject. Both certbot and acme.sh should auto renew any certificate by default around 30 days prior to it's experation. Or are you getting your certificates through another client?
Why do you need a wildcard certificate? Using it does not make sense in most cases, as you can have up to 100 domains in a standard HTTP authenticated certificate, which ISPConfig manages and automatically adds domains to. So, do you really have more than 100 subdomains in the same certificate?
I fully agree with you but in the world of webhosting there are countless noobs who think it's common practice to have a *.domain.tld record in their DNS pointing to their website. Even some big ISP's create it by default when purchasing a domainname and hosting with them, not helping the noobs out there. I too can't think of any practical reason to do so in almost every usecase (ofcourse there are some exceptions) but it happens a lot. And then a wildcard certificate makes sence all of a sudden unfortunately. Back on topic, I've had several LE wildcard certificates in my testlab on an OpenLiteSpeed server running as a reverse proxy in front of multiple ISPC servers using acme.sh which auto renewed them just fine every 2 month.
Actually, the only reason I would see getting a *.domain.tld is if you run a service that creates accounts based on subdomains. For all other cases, its better to have separate certs with dedicated DNS records. Otherwise, users wonder later why all kinds of 'copies' of their websites and services exist, and they might even get duplicate content penalties. Or someone might ask them (or sue) why they run a server [some bad word or trademark here].domain.tld which they are not aware of that they do this Therefore, better stay away from wildcard DNS and wildcard SSL if you want to have control over your services and domain namespace.
there are (used to be) uses for wildcard certs.. i used to use one for ispconfig servers.. for multiple servers, it was cheaper to get one wildcard cert and use it on each server than getting a separate certificate for each server. not really necessary any more. as for using a wildcard subdomain in dns, and for the website.. i suppose if you're not sure what subdomains you're going to use in advance, there is a case for it.. also, i guess, depending on the subdomain you actually use for the website, it can at least ensure that anyone misspelling the subdomain in the browser will still get taken to the right website.. which can be very useful when a client decides to use a subdomain like strategaethblynyddoeddcynnargorllewin
In the old days yes. But nowdays with Lets Encrypt and some others, which are free, that doesn't fly anymore. And even isn't very practical for use on multiple ISPC servers as certbot or acme.sh will request and install the certificate per server. It will look like you'll have the exact same certificate on each server but the fact of the matter is they are all different, with each their own key. Though the original poster still hasn't acknowledged the use of LE certificates. As I said earlier, most of the time it's not because of not knowing what to use in advance but the end-user's complete lack of knowledge combined with ISP's that roll it out by default in their hosting packs.
I think this may not be entirely correct, as own its own, acme.sh script does that but certbot doesn't. ISPConfig arranges for certbot to do so nightly mainly for certificates issued through ISPConfig. The replies for wildcard are clear so I do not wish to add further but using dns challenge should be possible in ISPConfig with some technical knowledge, though not supported. There isn't but as a general guide created LE certs via ISPConfig panel may have their renewal conf file modified to achieve the same.
