Question Synology DDNS wild card cert w/LE

[Telos]

My response was triggered by the whole port 80/443 discussion. It gave the impression that those ports would be involved in the verification processes when creating a wildcard certificate; they are not.

Let me throw in my ignorance and muddy the waters. As I understand, per Synology postings, ports 80/443 are required when creating LE certs for non-Synology domains.

That said, yes, I was attempting to create a wildcard cert for a Synology domain, however at the same time, I had a non-Synology SAN going along for the ride. My understanding then was to keep 80/443 open when creating a new cert.

As far as LE cert renewals go, if the LE cert is purely Synology, no open ports are required. However, where other non-Synology domains are involved, opening port 80 (or 443) for renewal is mandatory.

 

[one-eyed-king]

From my experience:
- Subdomain level LE certificates use HTTP01 challenge, which requires port 80 for creation and update.
- Wildcard level LE certificates require DNS01 challenge

I would assume that a subdomain level LE certificate for Synology still uses HTTP01 challenge and thus requires the ports, while wildcard certificates can never use HTTP01 challenge.

I actualy never though about adding a SAN that points to a different domain.. i have no experience in how it affects the verification process.

 

[akahan]

When I have created wildcard certs, they have been for non-Synology domains, and I have always used the DNS TXT method, so what one-eyed-king is saying is consistent w/my experience. To be clear, though, I've done it that way because I find it easier....I don't know what would have happened if I had tried the 80/443 method.

 

[rtfmoz]

So why is this bound to Synology's own domain and why can't I use my domain name to acquire a wildcard certificate?

Wildcard domains require DNS verification. Synology have no control over other people's DNS records hence they cannot do it. I am discussing workarounds in another post.