With the recent release of Let’s Encrypt’s ACMEv2 protocol implementation, they’ve gained the ability to not only supply SSL certificates for single domains, but also all subdomains. I’ve been interested in switching from our previous CA to Let’s Encrypt when their wildcard support dropped, because it makes renewal of certificates significantly easier due to automation capabilities of the platform. This blog post describes how to generate a wildcard certificate using Certbot
.
Acquire Certbot
Certbot
is the tool developed by the guys over at the Electronic Frontier Foundation (EFF) in order to simplify the lives of people using Let’s Encrypt (and other ACME protocol based CAs) by automatically fetching and deploying certificates.
First, we need to get the Certbot
executable. The latest release is available at the EFF’s website.
|
|
Acquire Certificate
Let’s Encrypt gives you 3 ways to verify that you own the domain(s) in question: http
, dns
and tls-sni
challenges. I used the dns
challenge in my case, since it appears that that’s the only type that wildcard certificates support.
Generate a certificate with Certbot
:
|
|
Note
If you do want to share your email with the EFF, replace the --no-eff-email
flag with --eff-email
.
In my case, I used the following arguments:
|
|
Add DNS Records
Once the certificate is obtained, Certbot
will prompt the user with a message similar to the following:
|
|
In your DNS provider configuration, you need to add a new TXT
record name with _acme-challenge.<your_domain_here>
and the corresponding value provided by the program. Do this for all the domains that you have specified.
If you run your own named/bind9 server, add the following line, update your serial and reload your rules:
|
|
Before you continue with Certbot
, check that your DNS server records have propagated using dig
or nslookup
. For example: dig -t TXT _acme-challenge.sanbi.ac.za
will produce something like:
|
|
Apply Certificates
Now that your certificates are generated, you can apply it to the webserver of your choice. The files will be found in /etc/letsencrypt/live/<your_domain>/*.pem
.