Support Letsencrypt wildcard certificates about kontena HOT 2 OPEN

It's currently not even possible to use wildcard certificate manually imported certificates as the loadbalancer stack fails with the error: [error] Psych::SyntaxError : (loadbalancer.yml): did not find expected alphabetic or numeric character while scanning an alias at line 16 column 18 Where that line is the subject line of the certificates using the *.domain.tld format.

That's a syntax error in the YAML, try quoting it:

certificates:
  subject: "*.example.com"

AFAIK wildcard certs should work, that's a separate bug if they do not.

Now that Letsencrypt finally supports wildcard certificates it would be nice to get wildcard support directly to the Kontena loadbalancer.

Not trivial to implement fully automated support for wildcard certs, because LE only issues wildcard certs for dns-01 challenges. We could support kontena certificate authorize --type dns-01 *.example.com if we upgraded to the ACMEv2 API, but that will require manual updating of the DNS TXT records for renewals. Automating dns-01 challenges would require integration with external DNS providers, which is a major task.

OTOH, wildcard certs wouldn't even be strictly necessary if the Kontena LE integration were further improved to make it much easier to deploy new services with new non-wildcard LE certificates: #1791 #2958

from kontena.

Here's a manual workaround:

1. Download certbot
2. Run certbot -d *.mywildcarddomain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory certonly
3. Add the DNS TXT entry
4. Run kontena certificate import --key /etc/letsencrypt/live/mywildcarddomain.com/privkey.pem /etc/letsencrypt/live/mywildcarddomain.com/cert.pem
5. kontena stack upgrade <ingress stack> kontena/ingress-lb

The last step will work properly after kontena/kontena-stacks#28 has been merged. Meanwhile you can copy the stack file from the pull request and use it to upgrade the load balancer.

from kontena.