arrow_upward

Pages (4):
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Getting Let's Encrypt Wildcard Certificates
#1
Disclaimer: This tutorial has been written by me. It was firstly published on FreeVPS Directory and Discussion at this link. I'm solely reposting my work on different places to keep it alive after FreeVPS will shutdown.



Getting Let's Encrypt Wildcard Certificates
A guide to obtaining free wildcard *.yourdomain.ext certificates from Let's Encrypt on any Linux OS


Table

  1. Prologue
  2. Installing the latest Certbot-auto client
  3. Requesting your free wildcard certificate
  4. Finale

A brief, detailed and easy to follow guide made out of 4 chapters.



1. Prologue

Hello!

A dream has come true. Let's Encrypt is the first real CA* (certificate authority) to provide absolutely free of charge wildcard domain validated certificates for your domains. This March with a delay of two months the Let's Encrypt team has finally published their new ACMEv2 API with a lot of improvements and enabled requests for wildcard certificates. Now, this is all still fairly new. Issues are to be expected.

What is this guide about? Well, simple: this is about getting yourself a wildcard certificate for your domain on any Linux OS. Since this is all still new most OSs don't even meet the minimum requirements to make use of the new features that ACMEv2 offers. This means you won't get a wildcard certificate if you follow the official documentation on certbot.eff.org or use the Certbot client from your OSs repos**. What you need is the latest client (at least the version number 0.22 or above) to make use of ACMEv2 and request wildcard certificates. So this is what this guide will help you with.

If you are interested in grabbing one of those neat wildcard certificates for your domains just continue reading. I'll try to make the guide as easy as possible and brief. Therefore I will include links for certain steps to other sites that explain certain parts better. If you have any questions feel free to post them down below.

Make sure you have full DNS access to your domains as you will be required to create TXT DNS records for domain ownership validation for the certificates!


* CloudFlare basically provides free wildcard certificates but a) they get them from Comodo, b) CloudFlare is a MITM (this is a security NO GO) so you shouldn't use it when you need TLS encryption and c) CloudFlare certificates are shared among many other domains (including bad domains). So I don't count them as a real CA (they simply aren't even though their sponsor Comodo is a CA) that would provide free wildcard certificates.

** According to the information at the Certbot documentation site at EFF CentOS/RHEL 7 is so far the only OS that has got the new Certbot client already in its repos. Debian for example only has 0.22.0 in their unstable repo for the upcoming Debian 10! Ubuntu doesn't seem to have it at all even in the latest version.



2. Installing the latest Certbot-auto client

The Let's Encrypt team offers a script to install the latest available stable version of Cerbot-auto on pretty much any Linux OS. This script is what we're going to use to grab the latest version of the Certbot-auto client and install it on your server.

Certbot-auto is one of many Let's Encrypt clients. It has a huge advantage over some clients. As mentioned before it will install the latest version and all necessary other packages automatically. It also comes with all features but that said, some people might not really like the full feature client due to its size and the huge feature set of which the most will only use a small part.

  1. Login into your server as root as you will be needing administrative permissions.

  2. Update your OS to the latest state to prevent issues with dependencies and software versions.*

  3. Download the certbot-auto script to your server with the command below.
    wget https://dl.eff.org/certbot-auto
    (If you have trouble and get an error regarding the TLS certificate make sure you have installed the ca certificate bundle package.)**

  4. Set execution permission for the script so it can be executed with the command below.
    chmod a+x certbot-auto

  5. Run the certbot-auto script to install the latest version with the command below.
    ./certbot-auto

This step will take some time depending on the performance of your server and the speed of your servers network. The latest version will be installed and all necessary additional packages. At the end of the installation, the script might throw an error regarding not being able to install a Apache 2 related addon. This usually happens when you don't use the Apache 2 web server. You can simply ignore this error.

If you get any other error feel free to post it here. I or the community might be able to help. You are also very welcome to join the Let's Encrypt community and ask there. They have the developer team onboard and so you will get direct support from the creators.

Don't delete the cerbot-auto file! This is what you will need or better said this is the file you will have to run when you want to request certificates, modify certificates, renew them and etc. This is the main executable of certbot-auto because the certbot-auto client is a wrapped and self-updating script.


* Here is how you can update your OS to the latest state on the most common Linux OSs.
Quote:Debian/Ubuntu:
apt-get update && apt-get upgrade -y

RHEL/CentOS/Fedora:
yum update -y

Arch Linux:
pacman -Syu

The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.

For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.

** Here is how you can install the ca certificates bundle on the most common Linux OSs.
Quote:Ubuntu/Debian:
apt-get install ca-certificates

RHEL/CentOS/Fedora:
yum install ca-certificates

Arch Linux:
pacman -S ca-certificates ca-certificates-mozilla ca-certificates-utils

The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.

For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.



3. Requesting your free wildcard certificate

Once chapter 2 of this guide has been completed and the latest version of the certbot-auto client has been installed you can start with requesting your wildcard certificate from Let's Encrypt over the new ACMEv2 API with the new TXT DNS record domain ownership validation.

  1. Run the command below to request the wildcard certificate for your domain that covers all subdomains.
    ./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.yourdomain.ext -d yourdomain.ext
    (Replace *.yourdomain.ext/yourdomain.ext with your actual domain name.)

    It is necessary to include the main domain yourdomain.ext to cover it because the domain *.yourdomain.ext will only cover all subdomains of your main domain like subdomain1.yourdomain.ext, subdomain2.yourdomain.ext and so on. A bit weird but unfortunately *.yourdomain.ext doesn't cover the main domain. That's just how it is. So don't forget to include the main domain when requesting wildcard certificates anywhere.

    The wildcard domain *.yourdomain.ext in the certificate will not cover subdomains of subdomains like subdomain1.subdomain1.yourdomain.ext! To achieve this you will have to include additional domains to the command above like below.
    [...] -d *.subdomain1.yourdomain.ext

  2. The script will ask you to confirm and accept a few agreements and some information. So please do confirm and/or accept if asked to do so to continue.

  3. You will now be asked to create TXT DNS records for your domains like in the following example output.
    Quote:-------------------------------------------------------------------------------
    Please deploy a DNS TXT record under the name
    _acme-challenge.yourdomain.ext with the following value:

    5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX

    Before continuing, verify the record is deployed.
    -------------------------------------------------------------------------------
    Press Enter to Continue

    -------------------------------------------------------------------------------
    Please deploy a DNS TXT record under the name
    _acme-challenge.yourdomain.ext with the following value:

    5ACgSpWd7AQrvHvkRsl9A-XXXXXXXXXXXXXX

    Before continuing, verify the record is deployed.
    -------------------------------------------------------------------------------
    Press Enter to Continue

    Go to your domain DNS control panel and create both TXT DNS records with the name as shown in the output of certbot-auto and the value as shown there. Before hitting ENTER to continue, wait a little bit and give the DNS propagation a bit of time. You can use https://www.whatsmydns.net/ to check how well the TXT DNS records have updated all over the world already.

  4. When everything is in order hit the ENTER button on your keyboard and certbot-auto will start to verify the ownership of your domains by looking for the created TXT DNS records and compare them. If everything is good you will see the message below.
    Quote:IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/yourdomain.ext/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/yourdomain.ext/privkey.pem
    Your cert will expire on 2018-06-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew *all* of your certificates, run
    "certbot-auto renew"
    - If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Congratulations! You have received your wildcard certificate from Let's Encrypt for your main domains and all subdomains of your main domains. If you also requested one for subdomains of subdomains it will also cover that. So far so good.

As mentioned in the final output the certificate files and the private key are stored in the following location:
/etc/letsencrypt/live/yourdomain.ext/

In general, you will need the three files from the list below when installing the requested certificate in your websites vHosts for your web server.
  1. fullchain.pem (CA cert - intermediate certs - your certificate)
  2. privkey.pem (private key file for your certificate)
  3. chain.pem (CA cert - intermediate certs)



4. Finale

So that's it. It looks like a lot, right? In fact, it's not that much. Just a few commands for the certbot-auto client installation and finally the request to get the certificate. And you have your wildcard certificate from Let's Encrypt free of charge if everything went well.

All you have to do now is to install the certificate in the vHosts of your websites on your web server. I will not cover this. There are good guides available at through Google for your web server. I personally use Nginx and generate the vHost files from zero by myself along with the Mozilla SSL Configuration Creator.

If you have already operated a web server you will probably already know how to install TLS certificates or know where to get the right guides for your web server. So I see no point it covering something that has a lot of documentation available already and that everyone might do differently. Apart from that I really only use Nginx so I wouldn't be able to cover Apache, IIS or another web server. Sorry about that.


Enjoy your free Let's Encrypt wildcard certificates.
[Image: zHHqO5Q.png]
#2
Great tutorial indeed. Thank you @Hidden Refuge for reposting in this forum. As FreeVPS is closing, it is a wise decision as a copyright owner to repost your own valuable works elsewhere to keep them alive.

And your tutorials would be very useful for many users in this forum I believe.


#3
Awesome tutorial! Finally i can secure my vps with lets encrypt.
Thanks Hidden Refuge
#4
Of course great tutorial, no doubt! Thanks @HR for reposting this tutorial it is very precious for us.
Terminal
Best Regards,
Global Moderator of Post4VPS 

#5
Thanks alot, A great tutorial.Your all posts are precious for us.I like your posting style also.Great knowledge great information.
You should be a support specialist here. Tongue
#6
(06-13-2018, 03:36 AM)Rehan Wrote: Thanks alot, A great tutorial.Your all posts are precious for us.I like your posting style also.Great knowledge great information.
You should be a support specialist here. Tongue

Totally agreed.  I wouldn't be surprised if this is already under discussion by the management.  I totally vote for it.  Maybe they could create a new special wildcard rank for him too.  One where he gets to choose the rank he wants to be any time of the day or week - such as he had at FreeVPS depending on how busy he was? Tongue 

Back to topic.  I found this an awesome tutorial too.  Definitely motivated to try out the Wildcard Certificates.  Thanks for posting it @"Hidden Refuge"
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#7
I was searching this thread, because my VestaCP email will not work if I use different SSL setting with my panel.domain.com and domain.com.

And this works really great! I only need to select the working webserver (which is Nginx), the certbot will know the domain listed on VestaCP.

Just need to select the domain, multiple domain actually, separated by commas. And it works great!
Thanks to Limitless Hosting and Post4VPS for providing me excellent VPS 13!
#8
@tiwil, thanks for bumping the thread. Really found this tutorial to be helpful for my client's website. My reseller already provides that but I am soon planning to move from that to a server. This one would help me before I integrate it with my cPanel. Anyways, thanks again.
#9
Want to make a suggestion to make the security better, Instead of

./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.yourdomain.ext -d yourdomain.ext

Use this, agrees to ToS, emails you when its about to expire and expand the key size to 4096 to better protection

./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --agree-tos --email [email protected] --rsa-key-size 4096 --preferred-challenges dns -d *.yourdomain.ext -d yourdomain.ext

Good luck Smile
No one knows what the future holds, that's why its potential is infinite
#10
@"Hidden Refuge"

BACKGROUND TO QUESTION ABOUT LET'S ENCRYPT WILDCARD CERTIFICATE

I've been working many hours on a WHM/cPanel today.  The server has an absentee owner and looks as though it has been set to automatically renew.  The owner hasn't been in touch since 2016.  In 2015 January, after a double disk failure the month before, he provided me with all of the server info and asked me to take care of it.  It has had a very impressive up time since then - note the first reboot was at the time of the handover of the panel to me on 2 January 2015:

[Image: uJ2aIRG.png]

We've tried to get in touch with the owner repeatedly since then, unsuccessfully. We're still trying.  When he handed the Panel to me in 2015 I spent hours with setting it up as securely as possible.  I also put it on automatic updates, and you can't imagine how careful I am as it's not my panel.  I very rarely if ever go into root.  It's been like that now for three years - going into the fourth.

Long story short.  I really thought the server would not renew during it's renewal month this January since the Forum went under in May 2018. I thought the owner would logically give up on the server too but maybe it's on indefinite renewal?  First sign that it may be renewed was the host domain got renewed at the last moment on 3rd January. The host domain is also very important as it has two name servers. Unfortunately then what happened - real bad luck - was Namecheap reset the DNS of the host domain to Namecheap's name servers - probably because the domain was renewed at the last minute - and since the owner is the only one with access to the Domain Registrar we were stuck.  So the host domain was no longer pointing to the VPS.  That meant that the services that were connected with the host domain - such as e-mail went down.  Fortunately there were four name servers.  So two name servers were still working.  I was still able to access WHM and cPanel.  With no problem at all.

So today I took the initiative and used my own domain to replace the host domain.  I created two name servers at my Registrar Namecheap with the IPs of the previous host domain name servers.  All of that went well. DNS propagated almost immediately like magic. WHM with one of its many tips then recommended after the host domain change to do a graceful reboot - my very first ever - so I did that.  That was also quite a learning curve.  As the reboot went on for hours - or it looked that way in the WHM window, however apparently when one does the graceful reboot, then WHM disconnects the server - which makes sense when one thinks logically about it - it continues with "reboot in process" for ever but is in actual fact no longer connected.  Must say Google is very helpful as a nice person communicated all of that info and advised people to check this by checking the server up time with root SSH as well as last reboots.  By the time I did that the server had already been online again for over 3 hours.  


OK now for the reason of this post.  I managed to set up self-signed certificates for the new host domain services through WHM Server Configuration/Manage Services SSL certificates.  It still showed the old host domain and certificates when I first accessed that WHM tool.  Took me a while to figure out that with the reset tool link it will automatically show the new host domain, and create a self-signed certificate for the new domain. I was happy once that was set up.   Was quite impressed with the expiry date of 1 July 2020.  But of course those self-signed certificates are now showing ugly red browser warnings that don't look very attractive.  WHM also warns that the self-signed certificates should be temporary only. They expect you to get CA ones.  Which brings me to a new learning project.

QUESTIONS

1. So next learning project is how can I create a free certificate for the host domain?  Can I use your tutorial on Let's Encrypt Wildcard Certificates to generate SSL for the host domain? Or is the host domain treated differently? Is the Let's Encrypt Wild Card SSL the best solution use for installing the host domain services certificates?

2. One thing I'd be nervous to do is update the OS - I don't have access to a panel other than WHM and the VPS host will only talk to the absentee owner - if the OS breaks I guess it's end of story. What is the worst that can happen if I go for the yum update of Centos?  The VPS is currently running on Centos 6.10

3. Next command that puzzles me a little is that the host domain is host.domain.net.  So should I use domain.net when I generate the wildcard SSL as suggested by you, or host.domain.net?

4. Maybe you've already covered this and I missed it. But how long is the wild card certificate valid for?
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
Pages (4):


Possibly Related Threads…
Thread
Author
Replies
Views
Last Post

person_pin_circle Users browsing this thread: 8 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting