06-11-2018, 07:05 PM
Disclaimer: This tutorial has been written by me. It was firstly published on FreeVPS Directory and Discussion at this link. I'm solely reposting my work on different places to keep it alive after FreeVPS will shutdown.
Table
A brief, detailed and easy to follow guide made out of 4 chapters.
1. Prologue
2. Installing the latest Certbot-auto client
3. Requesting your free wildcard certificate
4. Finale
Getting Let's Encrypt Wildcard Certificates
A guide to obtaining free wildcard *.yourdomain.ext certificates from Let's Encrypt on any Linux OS
A guide to obtaining free wildcard *.yourdomain.ext certificates from Let's Encrypt on any Linux OS
Table
- Prologue
- Installing the latest Certbot-auto client
- Requesting your free wildcard certificate
- Finale
A brief, detailed and easy to follow guide made out of 4 chapters.
1. Prologue
Hello!
A dream has come true. Let's Encrypt is the first real CA* (certificate authority) to provide absolutely free of charge wildcard domain validated certificates for your domains. This March with a delay of two months the Let's Encrypt team has finally published their new ACMEv2 API with a lot of improvements and enabled requests for wildcard certificates. Now, this is all still fairly new. Issues are to be expected.
What is this guide about? Well, simple: this is about getting yourself a wildcard certificate for your domain on any Linux OS. Since this is all still new most OSs don't even meet the minimum requirements to make use of the new features that ACMEv2 offers. This means you won't get a wildcard certificate if you follow the official documentation on certbot.eff.org or use the Certbot client from your OSs repos**. What you need is the latest client (at least the version number 0.22 or above) to make use of ACMEv2 and request wildcard certificates. So this is what this guide will help you with.
If you are interested in grabbing one of those neat wildcard certificates for your domains just continue reading. I'll try to make the guide as easy as possible and brief. Therefore I will include links for certain steps to other sites that explain certain parts better. If you have any questions feel free to post them down below.
Make sure you have full DNS access to your domains as you will be required to create TXT DNS records for domain ownership validation for the certificates!
* CloudFlare basically provides free wildcard certificates but a) they get them from Comodo, b) CloudFlare is a MITM (this is a security NO GO) so you shouldn't use it when you need TLS encryption and c) CloudFlare certificates are shared among many other domains (including bad domains). So I don't count them as a real CA (they simply aren't even though their sponsor Comodo is a CA) that would provide free wildcard certificates.
** According to the information at the Certbot documentation site at EFF CentOS/RHEL 7 is so far the only OS that has got the new Certbot client already in its repos. Debian for example only has 0.22.0 in their unstable repo for the upcoming Debian 10! Ubuntu doesn't seem to have it at all even in the latest version.
A dream has come true. Let's Encrypt is the first real CA* (certificate authority) to provide absolutely free of charge wildcard domain validated certificates for your domains. This March with a delay of two months the Let's Encrypt team has finally published their new ACMEv2 API with a lot of improvements and enabled requests for wildcard certificates. Now, this is all still fairly new. Issues are to be expected.
What is this guide about? Well, simple: this is about getting yourself a wildcard certificate for your domain on any Linux OS. Since this is all still new most OSs don't even meet the minimum requirements to make use of the new features that ACMEv2 offers. This means you won't get a wildcard certificate if you follow the official documentation on certbot.eff.org or use the Certbot client from your OSs repos**. What you need is the latest client (at least the version number 0.22 or above) to make use of ACMEv2 and request wildcard certificates. So this is what this guide will help you with.
If you are interested in grabbing one of those neat wildcard certificates for your domains just continue reading. I'll try to make the guide as easy as possible and brief. Therefore I will include links for certain steps to other sites that explain certain parts better. If you have any questions feel free to post them down below.
Make sure you have full DNS access to your domains as you will be required to create TXT DNS records for domain ownership validation for the certificates!
* CloudFlare basically provides free wildcard certificates but a) they get them from Comodo, b) CloudFlare is a MITM (this is a security NO GO) so you shouldn't use it when you need TLS encryption and c) CloudFlare certificates are shared among many other domains (including bad domains). So I don't count them as a real CA (they simply aren't even though their sponsor Comodo is a CA) that would provide free wildcard certificates.
** According to the information at the Certbot documentation site at EFF CentOS/RHEL 7 is so far the only OS that has got the new Certbot client already in its repos. Debian for example only has 0.22.0 in their unstable repo for the upcoming Debian 10! Ubuntu doesn't seem to have it at all even in the latest version.
2. Installing the latest Certbot-auto client
The Let's Encrypt team offers a script to install the latest available stable version of Cerbot-auto on pretty much any Linux OS. This script is what we're going to use to grab the latest version of the Certbot-auto client and install it on your server.
Certbot-auto is one of many Let's Encrypt clients. It has a huge advantage over some clients. As mentioned before it will install the latest version and all necessary other packages automatically. It also comes with all features but that said, some people might not really like the full feature client due to its size and the huge feature set of which the most will only use a small part.
This step will take some time depending on the performance of your server and the speed of your servers network. The latest version will be installed and all necessary additional packages. At the end of the installation, the script might throw an error regarding not being able to install a Apache 2 related addon. This usually happens when you don't use the Apache 2 web server. You can simply ignore this error.
If you get any other error feel free to post it here. I or the community might be able to help. You are also very welcome to join the Let's Encrypt community and ask there. They have the developer team onboard and so you will get direct support from the creators.
Don't delete the cerbot-auto file! This is what you will need or better said this is the file you will have to run when you want to request certificates, modify certificates, renew them and etc. This is the main executable of certbot-auto because the certbot-auto client is a wrapped and self-updating script.
* Here is how you can update your OS to the latest state on the most common Linux OSs.
The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.
For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.
** Here is how you can install the ca certificates bundle on the most common Linux OSs.
The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.
For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.
Certbot-auto is one of many Let's Encrypt clients. It has a huge advantage over some clients. As mentioned before it will install the latest version and all necessary other packages automatically. It also comes with all features but that said, some people might not really like the full feature client due to its size and the huge feature set of which the most will only use a small part.
- Login into your server as root as you will be needing administrative permissions.
- Update your OS to the latest state to prevent issues with dependencies and software versions.*
- Download the certbot-auto script to your server with the command below.
(If you have trouble and get an error regarding the TLS certificate make sure you have installed the ca certificate bundle package.)**Code: (Select All)wget https://dl.eff.org/certbot-auto
- Set execution permission for the script so it can be executed with the command below.
Code: (Select All)chmod a+x certbot-auto
- Run the certbot-auto script to install the latest version with the command below.
Code: (Select All)./certbot-auto
This step will take some time depending on the performance of your server and the speed of your servers network. The latest version will be installed and all necessary additional packages. At the end of the installation, the script might throw an error regarding not being able to install a Apache 2 related addon. This usually happens when you don't use the Apache 2 web server. You can simply ignore this error.
If you get any other error feel free to post it here. I or the community might be able to help. You are also very welcome to join the Let's Encrypt community and ask there. They have the developer team onboard and so you will get direct support from the creators.
Don't delete the cerbot-auto file! This is what you will need or better said this is the file you will have to run when you want to request certificates, modify certificates, renew them and etc. This is the main executable of certbot-auto because the certbot-auto client is a wrapped and self-updating script.
* Here is how you can update your OS to the latest state on the most common Linux OSs.
Quote:Debian/Ubuntu:
apt-get update && apt-get upgrade -y
RHEL/CentOS/Fedora:
yum update -y
Arch Linux:
pacman -Syu
The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.
For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.
** Here is how you can install the ca certificates bundle on the most common Linux OSs.
Quote:Ubuntu/Debian:
apt-get install ca-certificates
RHEL/CentOS/Fedora:
yum install ca-certificates
Arch Linux:
pacman -S ca-certificates ca-certificates-mozilla ca-certificates-utils
The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.
For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.
3. Requesting your free wildcard certificate
Once chapter 2 of this guide has been completed and the latest version of the certbot-auto client has been installed you can start with requesting your wildcard certificate from Let's Encrypt over the new ACMEv2 API with the new TXT DNS record domain ownership validation.
Congratulations! You have received your wildcard certificate from Let's Encrypt for your main domains and all subdomains of your main domains. If you also requested one for subdomains of subdomains it will also cover that. So far so good.
As mentioned in the final output the certificate files and the private key are stored in the following location:
In general, you will need the three files from the list below when installing the requested certificate in your websites vHosts for your web server.
- Run the command below to request the wildcard certificate for your domain that covers all subdomains.
(Replace *.yourdomain.ext/yourdomain.ext with your actual domain name.)Code: (Select All)./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.yourdomain.ext -d yourdomain.ext
It is necessary to include the main domain yourdomain.ext to cover it because the domain *.yourdomain.ext will only cover all subdomains of your main domain like subdomain1.yourdomain.ext, subdomain2.yourdomain.ext and so on. A bit weird but unfortunately *.yourdomain.ext doesn't cover the main domain. That's just how it is. So don't forget to include the main domain when requesting wildcard certificates anywhere.
The wildcard domain *.yourdomain.ext in the certificate will not cover subdomains of subdomains like subdomain1.subdomain1.yourdomain.ext! To achieve this you will have to include additional domains to the command above like below.
Code: (Select All)[...] -d *.subdomain1.yourdomain.ext
- The script will ask you to confirm and accept a few agreements and some information. So please do confirm and/or accept if asked to do so to continue.
- You will now be asked to create TXT DNS records for your domains like in the following example output.
Quote:-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.ext with the following value:
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.ext with the following value:
5ACgSpWd7AQrvHvkRsl9A-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Go to your domain DNS control panel and create both TXT DNS records with the name as shown in the output of certbot-auto and the value as shown there. Before hitting ENTER to continue, wait a little bit and give the DNS propagation a bit of time. You can use https://www.whatsmydns.net/ to check how well the TXT DNS records have updated all over the world already.
- When everything is in order hit the ENTER button on your keyboard and certbot-auto will start to verify the ownership of your domains by looking for the created TXT DNS records and compare them. If everything is good you will see the message below.
Quote:IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.ext/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.ext/privkey.pem
Your cert will expire on 2018-06-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Congratulations! You have received your wildcard certificate from Let's Encrypt for your main domains and all subdomains of your main domains. If you also requested one for subdomains of subdomains it will also cover that. So far so good.
As mentioned in the final output the certificate files and the private key are stored in the following location:
Code: (Select All)
/etc/letsencrypt/live/yourdomain.ext/
In general, you will need the three files from the list below when installing the requested certificate in your websites vHosts for your web server.
- fullchain.pem (CA cert - intermediate certs - your certificate)
- privkey.pem (private key file for your certificate)
- chain.pem (CA cert - intermediate certs)
4. Finale
So that's it. It looks like a lot, right? In fact, it's not that much. Just a few commands for the certbot-auto client installation and finally the request to get the certificate. And you have your wildcard certificate from Let's Encrypt free of charge if everything went well.
All you have to do now is to install the certificate in the vHosts of your websites on your web server. I will not cover this. There are good guides available at through Google for your web server. I personally use Nginx and generate the vHost files from zero by myself along with the Mozilla SSL Configuration Creator.
If you have already operated a web server you will probably already know how to install TLS certificates or know where to get the right guides for your web server. So I see no point it covering something that has a lot of documentation available already and that everyone might do differently. Apart from that I really only use Nginx so I wouldn't be able to cover Apache, IIS or another web server. Sorry about that.
Enjoy your free Let's Encrypt wildcard certificates.
All you have to do now is to install the certificate in the vHosts of your websites on your web server. I will not cover this. There are good guides available at through Google for your web server. I personally use Nginx and generate the vHost files from zero by myself along with the Mozilla SSL Configuration Creator.
If you have already operated a web server you will probably already know how to install TLS certificates or know where to get the right guides for your web server. So I see no point it covering something that has a lot of documentation available already and that everyone might do differently. Apart from that I really only use Nginx so I wouldn't be able to cover Apache, IIS or another web server. Sorry about that.
Enjoy your free Let's Encrypt wildcard certificates.