How to Generate Let’s Encrypt SSL Wildcard with CloudFlare? This guide will show you how to generate lets encrypt ssl wildcard certificate with CloudFlare for 90 dasys.
A wildcard certificate is an SSL certificate that can secure any number of subdomains with a single certificate. You may want a wildcard certificate in cases where you need to support multiple subdomains but don’t want to configure them all individually.
Let’s Encrypt is an SSL certificate authority that grants free certificates using an automated API. In this tutorial you will create a Let’s Encrypt wildcard certificate by following these steps:
Step 1 - Creating a temporary website Step 2 - Getting CloudFlare Global API Key Step 3 - Configuring the Certbot Plugin Step 4 - Installing the Correct Certbot DNS Plugin Step 5 - Generating Let's Encrypt SSL Wildcard Certificate Step 6 - Using SSL Wildcard Certificate
- New Ubuntu VM 18.04 or later
- Docker Engine installed on Ubuntu
- Cloudfare manged yourdomain which will be used to generated Wildcard SSL
Step 1 – Creating a temporary website
Create a temporary webserver using container
docker run --name test-nginx -d -p 80:80 nginx
Test website connection
Step 2 – Getting Cloudflare Global API Key
Because each provider has a different authentication process, please refer to the documentation for your particular Certbot DNS plugin for more information on what tokens or keys you’ll need to obtain.
In this tutorial, we will use the
Access: https://dash.cloudflare.com/profile/api-tokens and note API Key. We will use it later
Step 3 – Configuring the Certbot Plugin
We will need an Certbot authentication file to connect to your DNS provider and create DNS records on your behalf.
In this tutorial, we will use the
dns-cloudfalre plugin. We will create
cloudflare.ini file to store our Cloudflare credentials.
sudo mkdir -p /root/.secrets/ sudo touch /root/.secrets/cloudflare.ini sudo chmod 0700 /root/.secrets/ sudo chmod 0400 /root/.secrets/cloudflare.ini vi /root/.secrets/cloudflare.ini
Field your Cloudflare email and API Key to the file
dns_cloudflare_email = "Email login in CloudFare" dns_cloudflare_api_key = "Global API Key in Step 2"
Step 4 – Installing the Correct Certbot DNS Plugin
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python3-certbot-nginx python3-certbot-dns-cloudflare
Step 5 – Generating Let’s Encrypt SSL Wildcard Certificate
Replace example.com with yourdomain
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d hijackson.com,*.hijackson.com --preferred-challenges dns-01
After generating successfully, you can find your certificate in /etc/letsencrypt/live/yourdomain
Step 6 – Using SSL Wildcard Certificate
You have successfully generated a wildcard SSL certificate! Your next step is to configure your server application to use it. You can follow this instruction to set up Wildcard SSL on Nginx
SSL Wildcard located: /etc/letsencrypt/archive/yourdomain. The certificate you will use for Nginx is: fullchain.pem and privkey.pem
Refer the README for more details:
privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used without reading further documentation (see link below).
In this tutorial you configured Certbot + Cloudflare DNS plugin and downloaded a wildcard SSL certificate from the Let’s Encrypt certificate authority. You are now ready to configure your server software to use this certificate to secure its connections.
This Wildcard SSL is only valid for 90 days. After that, you need to renew it. In this tutorial, the Ubuntu server is temporary. You can terminate it after move this Wildcard SSL to different server for configuring your application.
If you have a website and you want to generate Wildcard SSL on the same stand alone server and auto renew it after 90 days. Take a look at this tutorial How to Setup Auto Renew Let’s Encrypt Wildcard SSL on Ubuntu 22.04