It may have passed under your radars, but Lego, the mainstream Go Let’s Encrypt client has released its version 1.0.0 around one month ago.

Notably this release supports ACME v2 and the DNS-01 challenge. The DNS-01 challenge has become the best practice in terms of security, and is the only one actually accepted for the release of wildcard certificates by Let’s Encrypt.

Exoscale is completely compatible with Lego, which means you can now automate wildcard certificates deployment on our platform. Lego will transparently use our DNS service API to create the appropriate record for the challenge 🎉

Let's Encrypt with Lego: an easy game!

You can use the library directly, or any other Lego-based tool, like Caddy or Traefik.

E.g. to do it with Traefik, you can use the following traefik-config.yml as a starting point. You will need to expose your EXOSCALE_API_KEY and EXOSCALE_API_SECRET credentials as environment variables.

defaultEntryPoints = ["https"]

[entryPoints]
 [entryPoints.http]
 address = ":80"
   [entryPoints.http.redirect]
   entryPoint = "https"
 [entryPoints.https]
 address = ":443"
   [entryPoints.https.tls]

[acme]
email = "YOUR@EMAIL"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
onDemand = true

[[acme.domains]]
main = "*.YOUR-DOMAIN.COM"

[acme.dnsChallenge]
provider = "exoscale"

[api]
#dashboard = true
#debug = true
entrypoint = "https"