With the recent release of Let’s Encrypt’s ACMEv2 protocol implementation, they’ve gained the ability to not only supply SSL certificates for single domains, but also all subdomains. I’ve been interested in switching from our previous CA to Let’s Encrypt when their wildcard support dropped, because it makes renewal of certificates significantly easier due to automation capabilities of the platform. This blog post describes how to generate a wildcard certificate using
Certbot is the tool developed by the guys over at the Electronic Frontier Foundation (EFF) in order to simplify the lives of people using Let’s Encrypt (and other ACME protocol based CAs) by automatically fetching and deploying certificates.
First, we need to get the
Certbot executable. The latest release is available at the EFF’s website.
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto
Let’s Encrypt gives you 3 ways to verify that you own the domain(s) in question:
tls-sni challenges. I used the
dns challenge in my case, since it appears that that’s the only type that wildcard certificates support.
Generate a certificate with
sudo ./certbot-auto certonly \ --server https://acme-v02.api.letsencrypt.org/directory \ --manual \ --preferred-challenges dns \ -d <your_domain_here> \ -m <your_email_here> \ --agree-tos \ --no-eff-email \ --manual-public-ip-logging-ok
If you do want to share your email with the EFF, replace the
--no-eff-email flag with
In my case, I used the following arguments:
sudo ./certbot-auto certonly \ --server https://acme-v02.api.letsencrypt.org/directory \ --manual \ --preferred-challenges dns \ -d sanbi.ac.za \ -d *.sanbi.ac.za \ -d *.wp.sanbi.ac.za \ -m [email protected] \ --agree-tos \ --no-eff-email \ --manual-public-ip-logging-ok
Add DNS Records
Once the certificate is obtained,
Certbot will prompt the user with a message similar to the following:
In your DNS provider configuration, you need to add a new
TXT record name with
_acme-challenge.<your_domain_here> and the corresponding value provided by the program. Do this for all the domains that you have specified.
If you run your own named/bind9 server, add the following line, update your serial and reload your rules:
_acme-challenge.<your_domain_here>. IN TXT <value>
Before you continue with
Certbot, check that your DNS server records have propagated using
nslookup. For example:
dig -t TXT _acme-challenge.sanbi.ac.za will produce something like:
; <<>> DiG 9.12.1 <<>> -t TXT _acme-challenge.sanbi.ac.za ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25805 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.sanbi.ac.za. IN TXT ;; ANSWER SECTION: _acme-challenge.sanbi.ac.za. 3599 IN TXT "RjMppEEL6MImK8EB5LSadOLsrdcxNIbGxUk8rjxWd6U" ;; Query time: 462 msec ;; SERVER: XXX.XXX.XXX.XXX#XX(XXX.XXX.XXX.XXX) ;; WHEN: Sat Mar 24 14:02:10 SAST 2018 ;; MSG SIZE rcvd: 112
Now that your certificates are generated, you can apply it to the webserver of your choice. The files will be found in /etc/letsencrypt/live/your_domain/*.pem.