Wiki

How to Create and Auto-Renew Let's Encrypt Wildcard Certificate?

As you know, Let's Encrypt officially started issuing a wildcard SSL certificate using ACMEv2(Automated Certificate Management Environment) endpoint. Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases.

Wildcard certificates are only available via ACMEv2. Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you'll need to modify DNS TXT records in order to verify domain ownership for the purpose of obtaining a wildcard certificate. You can read more details here. There are multiple clients for interacting with this API, but different client serves for the different purpose. We will use certbot. So, let's get started -

1. Install certbot

In order to install certbot, run the following commands:

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo ./certbot-auto

2. Create and Setup Wildcard Certificate (Manual Mode)

We say this manual mode because in this we need to complete challenges to verify domain ownership manually (If you want to automate the challenge process, then jump to the step 3). Here we are going to create wildcard certificate for developerinsider.co and setup them on a nginx server. Here you can replace nginx with apache if you are using an apache server. If you only want to create a certificate, then replace -i nginx with certonly.

sudo ./certbot-auto -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.developerinsider.co -d developerinsider.co

The certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:

Please deploy a DNS TXT record under the name
_acme-challenge.developerinsider.co with the following value:

nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

You can deploy this DNS TXT record using your domain control panel. Once you have completed the TXT record deployment, you need to verify that it is working using nslookup:

nslookup -type=TXT _acme-challenge.developerinsider.co
Server:		192.XXX.XXX.XXX
Address:	192.XXX.XXX.XXX#XX

Non-authoritative answer:
_acme-challenge.developerinsider.co	text = "nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8"

When you have verified that the TXT record is properly deployed and accessible using nslookup command then proceed to the next challenge.

If you've multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. So, I leave input blank to select all options.

Which server blocks would you like to modify?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: developerinsider.co
HTTPS: Yes

2: File: /etc/nginx/sites-enabled/tech.developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: tech.developerinsider.co
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

After this, the certbot client will ask you whether you want to redirect HTTP traffic to HTTPS. Here you can select the appropriate option for your site. For me, I want to redirect all HTTP traffic to HTTPS. So, I choose option 2.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

When the certificate will be issued and you should see something like:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/developerinsider.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/developerinsider.co/privkey.pem
   Your cert will expire on 2018-12-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3. Create and Setup Wildcard Certificate (Auto Mode)

If you want to obtain a wildcard certificate without manually completing AMEC challenges, you'll need to use one of Certbot's DNS plugins.

3.1 Obtain API Key

The plugin requires a configuration file containing API credentials, obtained API key from your DNS manager account -

  1. Cloudfare - certbot-dns-cloudflare
  2. Cloudxns - certbot-dns-cloudxns
  3. DigitalOcean - certbot-dns-digitalocean
  4. DNSimple - certbot-dns-dnsimple
  5. DNSMadeEasy - certbot-dns-dnsmadeeasy
  6. Google - certbot-dns-google
  7. Linode - certbot-dns-linode
  8. LuaDNS - certbot-dns-luadns
  9. NSOne - certbot-dns-nsone
  10. OVH - certbot-dns-ovh
  11. RFC2136 - certbot-dns-rfc2136
  12. Route53 - certbot-dns-route53

Now create a directory .secrets and save your credentials file. Above links contain example credential file. Here the example of Digital Ocean -

mkdir .secrets
cd .secrets
nano digitalocean.ini

Copy paste you credentials and save file.

# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

Now run chmod 600 to restrict access to the file.

3.2 Install Certbot's DNS Plugin

In order to install DNS plugin, first you need to determine where your certbot is installed:

find / -name certbot
/opt/eff.org/certbot

Now, Get into the Virtual Env and install the plugin for your DNS manager (in my case Digital Ocean)

cd /opt/eff.org/certbot/venv
source bin/activate
pip install certbot-dns-digitalocean
deactivate

Verify certbot plugins is installed or not

certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* certbot-dns-digitalocean
Description: Obtain certificates using a DNS TXT record (if you are using Digital Ocean for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-digitalocean = certbot-dns-digitalocean.dns-digitalocean:Authenticator

* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3.3 Create and Setup Wildcard Certificate

Here we are going to create wildcard certificate for developerinsider.co and setup them on a nginx server. Here you can replace nginx with apache, if you are using an apache server. If you only want to create a certificate, then replace -i nginx with certonly.

./certbot-auto -i nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d '*.developerinsider.co' -d 'developerinsider.co' --dns-digitalocean --dns-digitalocean-credentials .secrets/digitalocean.ini

If you've multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. So, I leave input blank to select all options.

Which server blocks would you like to modify?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/nginx/sites-enabled/developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: developerinsider.co
HTTPS: Yes

2: File: /etc/nginx/sites-enabled/tech.developerinsider.co.conf
Addresses: 443 ssl, [::]:443 ssl
Names: tech.developerinsider.co
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

After this, certbot client will ask you whether you want to redirect HTTP traffic to HTTPS. Here you can select which one is better suited for your site. For me, I want to redirect all HTTP traffic to HTTPS. So, I choose option 2.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

When the certificate will be issued and you should see something like:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/developerinsider.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/developerinsider.co/privkey.pem
   Your cert will expire on 2018-12-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4. Automating Renewal

If you've created the wildcard certificate using Manual Mode, then you need to repeat those step every time you want to renew your wildcard certificate. But for the auto mode, you can auto-renew your wildcard certificate using the cron job. Certbot packages already have a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

./certbot-auto renew --dry-run

If you're sure that this command executes successfully without human intervention, you can add the command to crontab without --dry-run flag. Let's Encrypt Certificates are only renewed when they're near to expiry, the command can run on a regular basis, like every week or every day. You can also add pre-hook and post-hook to this command. Like -

./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

or

./certbot-auto renew --post-hook "service nginx restart"

For more details read certbot docs.

0 Comments 0 Comments
0 Comments 0 Comments