Generate Wildcard SSL certificate using Let’s Encrypt/Certbot
What is SSL ?
SSL is a Secure Sockets Layer its a method used to secure and encrypt sensitive information. One of the most important components of online business is creating a trusted environment where potential customers feel confident in making Purchases. Its encrypt sensitive inforamation like credit cards, usernames, passwords and other private data sent over the internet.
What is Wildcard SSL certificate?
Wildcard SSL allows the use of an unlimited number of subdomain in the SSL certificate. It matches any full domain like *.ourdomain.com (where * can be any word and ourdomain.com is your domain).
In this tutorial we generate a willcard SSL certificate for your domain using Certbot (Letsencrypt). Here we are generating certificate for domain linuxproguru.com
This tutorial we are doing for a non-root user. Commands that required privileges are prefixed with sudo.
Step1: Install required dependencies
RHEL and CentOS
[letsencrypt@letsencrypt ~]# sudo yum update
[letsencrypt@letsencrypt ~]# sudo yum install git
Debian / Ubuntu
[letsencrypt@letsencrypt ~]# sudo apt-get update
[letsencrypt@letsencrypt ~]# sudo apt-get install git
Step2: Download and Install Letsencrypt/Certbot
Download a clone of Letsencrypt/Certbot from the Official GitHub Repository for Letsencrypt
[letsencrypt@letsencrypt ~]# sudo cd /opt [letsencrypt@letsencrypt ~]# sudo git clone https://github.com/certbot/certbot.git
We are generating Wildcard with certbot
[letsencrypt@letsencrypt ~]# sudo cd certbot
[letsencrypt@letsencrypt certbot]# ./certbot-auto certonly \
--manual \
--preferred-challenge=dns \
--email domains@ourdomain.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -d *.ourdomain.com
It will ask for below, confirm with "Yes" if your domain is correct
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for ourdomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Yes
Step4: We need to Authenticate The Domain's Ownershipt
After executing certbot-auto command, and pressing "Yes", the Certbot will share a text record which needs to add to your DNS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.ourdomains.com with the following value: sDuuiPfw_PjgHTucq-Y-sWW5domhqi7AqBphPY8jOOI Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
We need to add Record Name & Record Value to DNS text record
We can create TXT record via DNS console
After adding TXT record "Press Enter to Continue"
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ourdomain.com/privkey.pem Your cert will expire on 2020-10-12. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Congratulation !! We have successfully generated wildcard SSL certificate for *.ourdomain.com
Summary
We have successfully completed "Generate Wildcard SSL certificate using Let’s Encrypt/Certbot". If you have any questions or comments please leave them here, or in linuxproguru.com comments section of this site.
