How to setup Let’s Encrypt wildcard certificate
Way back in 2016 we posted about how to setup Free SSL certs using Let’s Encyrpt CA.
The internet has come a long way since then, and Let’s Encrypt is almost the default SSL option for many websites.
Even so, a slight annoyance with Let’s Encrypt was its inability to support wilcard certificates.
This led to many site owners (including Bobcares) having to maintain independent certificates for each subdomain (like blog.bobcares.com, my.bobcares.com, etc.).
Well, here’s the good news : Starting March 3rd 2018, Let’s Encrypt has started supporting wildcard certificates.
So, if you are a website or server owner who has many SSL protected subdomains, here’s how you can setup a Let’s Encrypt wildcard certificate.
Step 1 : Setup CertBot
There are many tools to setup Let’s Encrypt certificates. We’ve found EFF’s CertBot to be quite reliable.
So, first download and setup CertBot:
$ git clone https://github.com/certbot/certbot
$ cd certbot
$ sudo python setup.py install
$ certbot --version
Make sure you have the latest version of CertBot (v 0.23 or above), because there are changes to the certificate generation protocol for wildcard certificates.
If you are facing installation issues in setting up CertBot, we can help you fix it in a few minutes. Click here to talk to our Linux experts. We are online 24/7.
Step 2 : Request wildcard cert via DNS challenge
Before a certificate can be issued by Let’s Encrypt, they need to verify that you are the real owner of the website.
For Wildcard certificates, you can prove your ownership by creating a DNS record on your domain.
In our case, we used the below commands:
$ certbot certonly --manual -d *.bobcares.in --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please deploy a DNS TXT record under the name
_acme-challenge.bobcares.in with the following value:
Before continuing, verify the record is deployed.
Press Enter to Continue
As you can see, to pass the test, we need to set a TXT record for _acme-challenge.bobcares.in with the value 14q49t5JSak47aVKTnuxYcvPOuZdPchpOXPsFzpoWyI before we can press “Enter”.
So, the next step is to set the TXT record. We did so for our domain, and a query to Google showed this result:
$ dig +short TXT _acme-challenge.bobcares.in @18.104.22.168
Now, we went back and pressed “Enter” to continue the Cert generation.
In many servers we’ve faced issues such as missing Python libraries, unreachable Let’s Encrypt API servers, etc. while generating certificates.
If you are facing any such issues, we can get that fixed in a few minutes. Click here to talk to our Linux experts. We are online 24/7.
Step 3 : Deploy the certificate
When you press “Enter”, provided your DNS propagation is complete, you should see a successful cert generation message, like this:
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-08-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
At this point, your certificate should be available in “/etc/letsencrypt/live/YOUR_DOMAIN/“.
In our case, it was at “/etc/letsencrypt/live/bobcares.in/cert.pem”.
Now, all you need to do is to replace your SSL cert and key file path in your configuration file.
In our case, we edited the Nginx configuration file to this:
### SSL cert files ###
Reload the web server, and you are done.
There are many ways to deploy this certificate, including automated Apache and Nginx deployments, but many server owners have contacted us saying the automated deployment didn’t work or caused errors.
If you are facing any issues with the certificate genearation or deployment, our Linux experts can fix that for you within a few minutes for a small fee. Click here to talk to our 24/7 support team.