Select Page

How to setup Let’s Encrypt wildcard certificate

Way back in 2016 we posted about how to setup Free SSL certs using Let’s Encyrpt CA.

The internet has come a long way since then, and Let’s Encrypt is almost the default SSL option for many websites.

Even so, a slight annoyance with Let’s Encrypt was its inability to support wilcard certificates.

This led to many site owners (including Bobcares) having to maintain independent certificates for each subdomain (like blog.bobcares.com, my.bobcares.com, etc.).

Well, here’s the good news : Starting March 3rd 2018, Let’s Encrypt has started supporting wildcard certificates.

So, if you are a website or server owner who has many SSL protected subdomains, here’s how you can setup a Let’s Encrypt wildcard certificate.

 

Step 1 : Setup CertBot

There are many tools to setup Let’s Encrypt certificates. We’ve found EFF’s CertBot to be quite reliable.

So, first download and setup CertBot:

$ git clone https://github.com/certbot/certbot
$ cd certbot
$ sudo python setup.py install
$ certbot --version
certbot 0.25.0.dev0

Make sure you have the latest version of CertBot (v 0.23 or above), because there are changes to the certificate generation protocol for wildcard certificates.

If you are facing installation issues in setting up CertBot, we can help you fix it in a few minutes. Click here to talk to our Linux experts. We are online 24/7.

 

Step 2 : Request wildcard cert via DNS challenge

Before a certificate can be issued by Let’s Encrypt, they need to verify that you are the real owner of the website.

For Wildcard certificates, you can prove your ownership by creating a DNS record on your domain.

In our case, we used the below commands:

$ certbot certonly --manual -d *.bobcares.in --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Please deploy a DNS TXT record under the name
_acme-challenge.bobcares.in with the following value:

14q49t5JSak47aVKTnuxYcvPOuZdPchpOXPsFzpoWyI

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

As you can see, to pass the test, we need to set a TXT record for _acme-challenge.bobcares.in with the value 14q49t5JSak47aVKTnuxYcvPOuZdPchpOXPsFzpoWyI before we can press “Enter”.

So, the next step is to set the TXT record. We did so for our domain, and a query to Google showed this result:

$ dig +short TXT _acme-challenge.bobcares.in @8.8.8.8
"14q49t5JSak47aVKTnuxYcvPOuZdPchpOXPsFzpoWyI"

Now, we went back and pressed “Enter” to continue the Cert generation.

In many servers we’ve faced issues such as missing Python libraries, unreachable Let’s Encrypt API servers, etc. while generating certificates.

If you are facing any such issues, we can get that fixed in a few minutes. Click here to talk to our Linux experts. We are online 24/7.

 

Step 3 : Deploy the certificate

When you press “Enter”, provided your DNS propagation is complete, you should see a successful cert generation message, like this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/bobcares.in/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/bobcares.in/privkey.pem
   Your cert will expire on 2018-08-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

At this point, your certificate should be available in “/etc/letsencrypt/live/YOUR_DOMAIN/“.

In our case, it was at “/etc/letsencrypt/live/bobcares.in/cert.pem”.

Now, all you need to do is to replace your SSL cert and key file path in your configuration file.

In our case, we edited the Nginx configuration file to this:

### SSL cert files ###
ssl_certificate /etc/letsencrypt/live/bobcares.in/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/bobcares.in/privkey.pem;

Reload the web server, and you are done.

 

Parting notes

There are many ways to deploy this certificate, including automated Apache and Nginx deployments, but many server owners have contacted us saying the automated deployment didn’t work or caused errors.

If you are facing any issues with the certificate genearation or deployment, our Linux experts can fix that for you within a few minutes for a small fee. Click here to talk to our 24/7 support team.


SPEED UP YOUR SERVER TODAY!

Never again lose customers to poor page speed! Let us help you.

Contact Us once. Enjoy Peace Of Mind For Ever!

GET EXPERT ASSISTANCE FOR JUST $59.99/hr

1 Comment

  1. In order to configure apache you can do so by running

    sudo certbot –apache

    This will create a new httpssl conf..

    And to auto renew use this
    sudo crontab -e

    Add thecron job on the crontab file

    30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES