Wildcard certs & Certwarden Client

adilette

I am testing Certwarden with wildcard certificates that I want to distribute to different hosts (multiple local reverse proxies). However, it seems that wildcard certificates are not compatible with the Certwarden client, is that correct?

When I renew the certificate in Certwarden, I see following error message:

4/27/2025, 6:34:44 PM, error, orders/post_process_do_client.go:104, orders: post processing worker 0: order 3: notify client failed: failed to post to client (Post "https://*.example.org:5055/certwardenclient/api/v1/install": dial tcp: lookup *.example.org: no such host) (cert: 1, cn: *.example.org)

This makes sense, since Certwarden is supposed to connect to the subject.

I was also looking for an environment variable that might bypass this problem: a FQDN that is sent from the client to the server when the certificate is pulled for the first time and is then linked to the certificate. The server then contacts this FQDN on port 5055 on renewals, instead of the subject.

At least it was a way of functioning that I could have imagined. But there does not seem to be such a thing, correct?

Are there other solutions for using wildrcads with Certwarden Client? Have I missed something?

Cheers,
adilette

gregtwallace

You are correct, there is not an option currently to manually set that value. There is an open Issue, I just haven't gotten to it yet:

https://github.com/gregtwallace/certwarden/issues/67

adilette

Thank you @gregtwallace.

I have solved this currently with certwarden-deploy and a cronjob. But I like the idea that Certwarden-client only becomes active when the certificate has actually been renewed.

Maybe the feature will come along and I will switch. In the meantime, I am grateful that Certwarden exists. Thank you for that!

gregtwallace

I’ve got this mostly done so it’ll be in the next version.