RSS

Requesting wildcard SSL certificates via DNS with Sympl

speckx1 pts0 comments

Requesting wildcard SSL certificates via DNS with Sympl - Matthew Somerville

Requesting wildcard SSL certificates via DNS with Sympl<br>24th June 2026

As I mentioned in my previous blog post,<br>I have blocked a lot of IP addresses, which makes it hard for Let&rsquo;s Encrypt to use their<br>HTTP validation of domains in order to issue an SSL certificate.

That&rsquo;s okay though, as they also offer DNS validation, where you live-update your DNS to<br>answer a challenge to prove you own the domain. A bonus is DNS validation can do wildcard domains<br>which would mean I have to request fewer of them (as I have quite a few *.dracos.co.uk or *.traintimes.org.uk things, such as<br>postboxes.dracos.co.uk,<br>intunemixtapefanclub.dracos.co.uk,<br>or split.traintimes.org.uk).

My server is hosted at Mythic Beasts, and uses<br>Sympl to make hosting some sites a bit easier. This does HTTP<br>validation of certificates automatically; Mythic provide some<br>instructions on<br>how to set up stand-alone DNS validation using their DNS API and dehydrated,<br>but this doesn&rsquo;t cover getting the certs into place for Sympl to pick up.

With some searching, I found<br>Christopher Wilkinson&rsquo;s helpful instructions for combining their DNS instructions with Sympl, to automatically get the certificate in place and update the server.<br>In the spirit of that, then, this post adds the extra bits I had to do in<br>order to get a wildcard certificate and get that in all the places Sympl expects it.

Requesting a wildcard certificate

Put dracos.co.uk *.dracos.co.uk in the domains.txt file.<br>That is it, it just worked! Magic.

Putting it in places

I edited the deploy-cert/sympl script to loop through every host under<br>/srv that could be a subdomain; otherwise it is basically the same:

shopt -s nullglob<br>for subdomain in $DOMAIN $(basename -a /srv/*.$DOMAIN); do<br>echo 'false' > /srv/$subdomain/config/ssl-provider<br>SET_NAME=dehydrated-$(date --rfc-3339=date)<br>mkdir -p /srv/$subdomain/config/ssl/sets/$SET_NAME<br>cat "${CERTFILE}" > /srv/$subdomain/config/ssl/sets/$SET_NAME/ssl.crt<br>cat "${CHAINFILE}" > /srv/$subdomain/config/ssl/sets/$SET_NAME/ssl.bundle<br>cat "${KEYFILE}" > /srv/$subdomain/config/ssl/sets/$SET_NAME/ssl.key<br>cat "${FULLCHAINFILE}" "${KEYFILE}" > /srv/$subdomain/config/ssl/sets/$SET_NAME/ssl.combined<br>sympl-ssl $subdomain --verbose --select $SET_NAME<br>done

So when a new certificate is obtained, this will copy it into every one to which it can apply.<br>Which is nice :)

Reading

Currently reading the previously mentioned book of time travel romance stories called Someone in Time.<br>Before that, I finished Death masks by Jim Butcher and Chasing embers by James Bennett.

sympl subdomain set_name wildcard config validation

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.