How to Generate Let’s Encrypt SSL Wildcard using Certbot?

Introduction

How to Generate Let’s Encrypt SSL Wildcard with CloudFlare? This guide will show you how to generate lets encrypt ssl wildcard certificate with CloudFlare for 90 dasys.

A wildcard certificate is an SSL certificate that can secure any number of subdomains with a single certificate. You may want a wildcard certificate in cases where you need to support multiple subdomains but don’t want to configure them all individually.

Let’s Encrypt is an SSL certificate authority that grants free certificates using an automated API. In this tutorial you will create a Let’s Encrypt wildcard certificate by following these steps:

Step 1 - Creating a temporary website
Step 2 - Getting CloudFlare Global API Key
Step 3 - Configuring the Certbot Plugin
Step 4 - Installing the Correct Certbot DNS Plugin
Step 5 - Generating Let's Encrypt SSL Wildcard Certificate
Step 6 - Using SSL Wildcard Certificate

Prerequisites

Step 1 – Creating a temporary website

Create a temporary webserver using container

docker run --name test-nginx -d -p 80:80 nginx

Test website connection

curl http://localhost

Step 2 – Getting Cloudflare Global API Key

Because each provider has a different authentication process, please refer to the documentation for your particular Certbot DNS plugin for more information on what tokens or keys you’ll need to obtain.

In this tutorial, we will use the dns-cloudfalre plugin

Access: https://dash.cloudflare.com/profile/api-tokens and note API Key. We will use it later

How to Generate Let's Encrypt SSL Wildcard

Step 3 – Configuring the Certbot Plugin

We will need an Certbot authentication file to connect to your DNS provider and create DNS records on your behalf.

In this tutorial, we will use the dns-cloudfalre plugin. We will create cloudflare.ini file to store our Cloudflare credentials.

sudo mkdir -p /root/.secrets/
sudo touch /root/.secrets/cloudflare.ini
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini
vi /root/.secrets/cloudflare.ini

Field your Cloudflare email and API Key to the file

dns_cloudflare_email = "Email login in CloudFare"
dns_cloudflare_api_key = "Global API Key in Step 2"

Step 4 – Installing the Correct Certbot DNS Plugin

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx python3-certbot-dns-cloudflare

Step 5 – Generating Let’s Encrypt SSL Wildcard Certificate

Replace example.com with yourdomain

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01

For example:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d hijackson.com,*.hijackson.com --preferred-challenges dns-01

After generating successfully, you can find your certificate in /etc/letsencrypt/live/yourdomain

How to Generate Let's Encrypt SSL Wildcard

Step 6 – Using SSL Wildcard Certificate

You have successfully generated a wildcard SSL certificate! Your next step is to configure your server application to use it. You can follow this instruction to set up Wildcard SSL on Nginx

SSL Wildcard located: /etc/letsencrypt/archive/yourdomain. The certificate you will use for Nginx is: fullchain.pem and privkey.pem

Refer the README for more details:

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used without reading further documentation (see link below).

Conclusion

In this tutorial you configured Certbot + Cloudflare DNS plugin and downloaded a wildcard SSL certificate from the Let’s Encrypt certificate authority. You are now ready to configure your server software to use this certificate to secure its connections.

This Wildcard SSL is only valid for 90 days. After that, you need to renew it. In this tutorial, the Ubuntu server is temporary. You can terminate it after move this Wildcard SSL to different server for configuring your application.

If you have a website and you want to generate Wildcard SSL on the same stand alone server and auto renew it after 90 days. Take a look at this tutorial How to Setup Auto Renew Let’s Encrypt Wildcard SSL on Ubuntu 22.04

Leave a Reply

Your email address will not be published.

How to Schedule a Python Script Reminder for System Health Check?