How to Generate Let’s Encrypt SSL Wildcard using Certbot?

Introduction

How to Generate Let’s Encrypt SSL Wildcard with CloudFlare? This guide will show you how to generate lets encrypt ssl wildcard certificate with CloudFlare.

A wildcard certificate is an SSL certificate that can secure any number of subdomains with a single certificate. You may want a wildcard certificate in cases where you need to support multiple subdomains but don’t want to configure them all individually.

Let’s Encrypt is an SSL certificate authority that grants free certificates using an automated API. In this tutorial you will create a Let’s Encrypt wildcard certificate by following these steps:

Step 1 - Creating a temporary website
Step 2 - Getting CloudFlare Global API Key
Step 3 - Configuring the Certbot Plugin
Step 4 - Installing the Correct Certbot DNS Plugin
Step 5 - Generating Let's Encrypt SSL Wildcard Certificate
Step 6 - Using SSL Wildcard Certificate

Prerequisites

A running website on port 80

or

New Ubuntu VM 18.04 or later
Docker Installed

Follow this guide to install docker: https://docs.docker.com/engine/install/ubuntu/

If you already have a website running on port 80. You can skip step 1

Step 1 – Creating a temporary website

Create a temporary webserver using container

docker run --name test-nginx -d -p 80:80 nginx

Test website connection

curl http://localhost

Step 2 – Getting Cloudflare Global API Key

Because each provider has a different authentication process, please refer to the documentation for your particular Certbot DNS plugin for more information on what tokens or keys you’ll need to obtain.

For this example, we will use the dns-cloudfalre plugin

Access: https://dash.cloudflare.com/profile/api-tokens and note API Key. We will use it later

How to Generate Let's Encrypt SSL Wildcard

Step 3 – Configuring the Certbot Plugin

We will need an Certbot authentication file to connect to your DNS provider and create DNS records on your behalf.

For this example, we will use the dns-cloudfalre plugin, and will store our credentials in the file /root/.secrets/cloudflare.ini

sudo mkdir -p /root/.secrets/
sudo touch /root/.secrets/cloudflare.ini
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini

Creatting a file using vi editor:

vi /root/.secrets/cloudflare.ini
dns_cloudflare_email = "Email login in CloudFare"
dns_cloudflare_api_key = "Global API Key in Step 2"

Step 4 – Installing the Correct Certbot DNS Plugin

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx python3-certbot-dns-cloudflare

Step 5 – Generating Let’s Encrypt SSL Wildcard Certificate

Replace example.com with yourdomain
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01

For example:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d hijackson.com,*.hijackson.com --preferred-challenges dns-01

After generating successfully, you can find your certificate in /etc/letsencrypt/live/yourdomain

How to Generate Let's Encrypt SSL Wildcard

Step 6 – Using SSL Wildcard Certificate

If your website is running on this server. Change nginx SSL configuration to:

certificate: /etc/letsencrypt/live/yourdomain/fullchain.pem
private_key: /etc/letsencrypt/live/yourdomain/privkey.pem

If this is a temporary webserver, then copy all files in /etc/letsencrypt/archive/yourdomain to other webserver, and reuse it.


Refer the README for more details:

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used without reading further documentation (see link below).

Leave a Reply

Your email address will not be published. Required fields are marked *