As you know, Let's Encrypt officially started issuing a wildcard SSL certificate using ACMEv2(Automated Certificate Management Environment) endpoint. Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases.
Wildcard certificates are only available via ACMEv2. Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you'll need to modify DNS TXT records in order to verify domain ownership for the purpose of obtaining a wildcard certificate. You can read more details here. There are multiple clients for interacting with this API, but different client serves for the different purpose. We will use certbot. So, let's get started -
1. Install certbot
In order to install certbot, run the following commands:
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo ./certbot-auto
If sudo ./certbot-auto returns error something like this -
Creating virtual environment...
...
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1
then, you need to set local LC_ALL and LC_CTYPE variables to en_US.UTF-8
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
2. Create and Setup Wildcard Certificate (Manual Mode)
We say this manual mode because in this we need to complete challenges to verify domain ownership manually (If you want to automate the challenge process, then jump to the step 3). Here we are going to create wildcard certificate for developerinsider.co and setup them on a nginx server. Here you can replace nginx with apache if you are using an apache server. If you only want to create a certificate, then replace -i nginx with certonly.
sudo ./certbot-auto -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.developerinsider.co -d developerinsider.co
The certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:
Please deploy a DNS TXT record under the name
_acme-challenge.developerinsider.co with the following value:
nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
You can deploy this DNS TXT record using your domain control panel. Once you have completed the TXT record deployment, you need to verify that it is working using nslookup:
nslookup -type=TXT _acme-challenge.developerinsider.co
Server: 192.XXX.XXX.XXX
Address: 192.XXX.XXX.XXX#XX
Non-authoritative answer:
_acme-challenge.developerinsider.co text = "nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8"
When you have verified that the TXT record is properly deployed and accessible using nslookup command then proceed to the next challenge.
If you've multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. So, I leave input blank to select all options.
Which server blocks would you like to modify?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: developerinsider.co
HTTPS: Yes
2: File: /etc/nginx/sites-enabled/tech.developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: tech.developerinsider.co
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
After this, the certbot client will ask you whether you want to redirect HTTP traffic to HTTPS. Here you can select the appropriate option for your site. For me, I want to redirect all HTTP traffic to HTTPS. So, I choose option 2.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
When the certificate will be issued and you should see something like:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/developerinsider.co/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/developerinsider.co/privkey.pem
Your cert will expire on 2018-12-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3. Create and Setup Wildcard Certificate (Auto Mode)
If you want to obtain a wildcard certificate without manually completing AMEC challenges, you'll need to use one of Certbot's DNS plugins.
3.1 Obtain API Key
The plugin requires a configuration file containing API credentials, obtained API key from your DNS manager account -
- Cloudfare - certbot-dns-cloudflare
- Cloudxns - certbot-dns-cloudxns
- DigitalOcean - certbot-dns-digitalocean
- DNSimple - certbot-dns-dnsimple
- DNSMadeEasy - certbot-dns-dnsmadeeasy
- Google - certbot-dns-google
- Linode - certbot-dns-linode
- LuaDNS - certbot-dns-luadns
- NSOne - certbot-dns-nsone
- OVH - certbot-dns-ovh
- RFC2136 - certbot-dns-rfc2136
- Route53 - certbot-dns-route53
Now create a directory .secrets and save your credentials file. Above links contain example credential file. Here the example of Digital Ocean -
mkdir .secrets
cd .secrets
nano digitalocean.ini
Copy paste you credentials and save file.
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
Now run chmod 600 to restrict access to the file.
3.2 Install Certbot's DNS Plugin
In order to install DNS plugin, first you need to determine where your certbot is installed:
find / -name certbot
/opt/eff.org/certbot
Now, Get into the Virtual Env and install the plugin for your DNS manager (in my case Digital Ocean)
cd /opt/eff.org/certbot/venv
source bin/activate
pip install certbot-dns-digitalocean
deactivate
Verify certbot plugins is installed or not
certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
* certbot-dns-digitalocean
Description: Obtain certificates using a DNS TXT record (if you are using Digital Ocean for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-digitalocean = certbot-dns-digitalocean.dns-digitalocean:Authenticator
* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3.3 Create and Setup Wildcard Certificate
Here we are going to create wildcard certificate for developerinsider.co and setup them on a nginx server. Here you can replace nginx with apache, if you are using an apache server. If you only want to create a certificate, then replace -i nginx with certonly.
./certbot-auto -i nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d '*.developerinsider.co' -d 'developerinsider.co' --dns-digitalocean --dns-digitalocean-credentials .secrets/digitalocean.ini
If you've multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. So, I leave input blank to select all options.
Which server blocks would you like to modify?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: developerinsider.co
HTTPS: Yes
2: File: /etc/nginx/sites-enabled/tech.developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: tech.developerinsider.co
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
After this, certbot client will ask you whether you want to redirect HTTP traffic to HTTPS. Here you can select which one is better suited for your site. For me, I want to redirect all HTTP traffic to HTTPS. So, I choose option 2.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
When the certificate will be issued and you should see something like:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/developerinsider.co/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/developerinsider.co/privkey.pem
Your cert will expire on 2018-12-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
4. Automating Renewal
If you've created the wildcard certificate using Manual Mode, then you need to repeat those step every time you want to renew your wildcard certificate. But for the auto mode, you can auto-renew your wildcard certificate using the cron job. Certbot packages already have a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
./certbot-auto renew --dry-run
If you're sure that this command executes successfully without human intervention, you can add the command to crontab without --dry-run flag. Let's Encrypt Certificates are only renewed when they're near to expiry, the command can run on a regular basis, like every week or every day. You can also add pre-hook and post-hook to this command. Like -
./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"
or
./certbot-auto renew --post-hook "service nginx restart"
For more details read certbot docs.
