Problems activating your account? Send notification email to: admin@post4vps.com
Host4Fun Budget VPS Hosting
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Getting Let's Encrypt Wildcard Certificates
#1
Disclaimer: This tutorial has been written by me. It was firstly published on FreeVPS Directory and Discussion at this link. I'm solely reposting my work on different places to keep it alive after FreeVPS will shutdown.



Getting Let's Encrypt Wildcard Certificates
A guide to obtaining free wildcard *.yourdomain.ext certificates from Let's Encrypt on any Linux OS


Table

  1. Prologue
  2. Installing the latest Certbot-auto client
  3. Requesting your free wildcard certificate
  4. Finale

A brief, detailed and easy to follow guide made out of 4 chapters.



1. Prologue

Hello!

A dream has come true. Let's Encrypt is the first real CA* (certificate authority) to provide absolutely free of charge wildcard domain validated certificates for your domains. This March with a delay of two months the Let's Encrypt team has finally published their new ACMEv2 API with a lot of improvements and enabled requests for wildcard certificates. Now, this is all still fairly new. Issues are to be expected.

What is this guide about? Well, simple: this is about getting yourself a wildcard certificate for your domain on any Linux OS. Since this is all still new most OSs don't even meet the minimum requirements to make use of the new features that ACMEv2 offers. This means you won't get a wildcard certificate if you follow the official documentation on certbot.eff.org or use the Certbot client from your OSs repos**. What you need is the latest client (at least the version number 0.22 or above) to make use of ACMEv2 and request wildcard certificates. So this is what this guide will help you with.

If you are interested in grabbing one of those neat wildcard certificates for your domains just continue reading. I'll try to make the guide as easy as possible and brief. Therefore I will include links for certain steps to other sites that explain certain parts better. If you have any questions feel free to post them down below.

Make sure you have full DNS access to your domains as you will be required to create TXT DNS records for domain ownership validation for the certificates!


* CloudFlare basically provides free wildcard certificates but a) they get them from Comodo, b) CloudFlare is a MITM (this is a security NO GO) so you shouldn't use it when you need TLS encryption and c) CloudFlare certificates are shared among many other domains (including bad domains). So I don't count them as a real CA (they simply aren't even though their sponsor Comodo is a CA) that would provide free wildcard certificates.

** According to the information at the Certbot documentation site at EFF CentOS/RHEL 7 is so far the only OS that has got the new Certbot client already in its repos. Debian for example only has 0.22.0 in their unstable repo for the upcoming Debian 10! Ubuntu doesn't seem to have it at all even in the latest version.



2. Installing the latest Certbot-auto client

The Let's Encrypt team offers a script to install the latest available stable version of Cerbot-auto on pretty much any Linux OS. This script is what we're going to use to grab the latest version of the Certbot-auto client and install it on your server.

Certbot-auto is one of many Let's Encrypt clients. It has a huge advantage over some clients. As mentioned before it will install the latest version and all necessary other packages automatically. It also comes with all features but that said, some people might not really like the full feature client due to its size and the huge feature set of which the most will only use a small part.

  1. Login into your server as root as you will be needing administrative permissions.
  2. Update your OS to the latest state to prevent issues with dependencies and software versions.*
  3. Download the certbot-auto script to your server with the command below.
    wget https://dl.eff.org/certbot-auto
    (If you have trouble and get an error regarding the TLS certificate make sure you have installed the ca certificate bundle package.)**
  4. Set execution permission for the script so it can be executed with the command below.
    chmod a+x certbot-auto
  5. Run the certbot-auto script to install the latest version with the command below.
    ./certbot-auto

This step will take some time depending on the performance of your server and the speed of your servers network. The latest version will be installed and all necessary additional packages. At the end of the installation, the script might throw an error regarding not being able to install a Apache 2 related addon. This usually happens when you don't use the Apache 2 web server. You can simply ignore this error.

If you get any other error feel free to post it here. I or the community might be able to help. You are also very welcome to join the Let's Encrypt community and ask there. They have the developer team onboard and so you will get direct support from the creators.

Don't delete the cerbot-auto file! This is what you will need or better said this is the file you will have to run when you want to request certificates, modify certificates, renew them and etc. This is the main executable of certbot-auto because the certbot-auto client is a wrapped and self-updating script.


* Here is how you can update your OS to the latest state on the most common Linux OSs.
Quote:Debian/Ubuntu:
apt-get update && apt-get upgrade -y

RHEL/CentOS/Fedora:
yum update -y

Arch Linux:
pacman -Syu

The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.

For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.

** Here is how you can install the ca certificates bundle on the most common Linux OSs.
Quote:Ubuntu/Debian:
apt-get install ca-certificates

RHEL/CentOS/Fedora:
yum install ca-certificates

Arch Linux:
pacman -S ca-certificates ca-certificates-mozilla ca-certificates-utils

The Ubuntu/Debian command can be used on all Linux OSs that are based on either Debian or Ubuntu. The same applies to the RHEL/CentOS/Fedora command.

For other Linux OSs please use Google to find instructions. The above listed OSs are the most common and the one I have used/had experience from before. I cannot cover everything.



3. Requesting your free wildcard certificate

Once chapter 2 of this guide has been completed and the latest version of the certbot-auto client has been installed you can start with requesting your wildcard certificate from Let's Encrypt over the new ACMEv2 API with the new TXT DNS record domain ownership validation.

  1. Run the command below to request the wildcard certificate for your domain that covers all subdomains.
    ./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.yourdomain.ext -d yourdomain.ext
    (Replace *.yourdomain.ext/yourdomain.ext with your actual domain name.)

    It is necessary to include the main domain yourdomain.ext to cover it because the domain *.yourdomain.ext will only cover all subdomains of your main domain like subdomain1.yourdomain.ext, subdomain2.yourdomain.ext and so on. A bit weird but unfortunately *.yourdomain.ext doesn't cover the main domain. That's just how it is. So don't forget to include the main domain when requesting wildcard certificates anywhere.

    The wildcard domain *.yourdomain.ext in the certificate will not cover subdomains of subdomains like subdomain1.subdomain1.yourdomain.ext! To achieve this you will have to include additional domains to the command above like below.
    [...] -d *.subdomain1.yourdomain.ext
  2. The script will ask you to confirm and accept a few agreements and some information. So please do confirm and/or accept if asked to do so to continue.
  3. You will now be asked to create TXT DNS records for your domains like in the following example output.
    Quote:-------------------------------------------------------------------------------
    Please deploy a DNS TXT record under the name
    _acme-challenge.yourdomain.ext with the following value:

    5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX

    Before continuing, verify the record is deployed.
    -------------------------------------------------------------------------------
    Press Enter to Continue

    -------------------------------------------------------------------------------
    Please deploy a DNS TXT record under the name
    _acme-challenge.yourdomain.ext with the following value:

    5ACgSpWd7AQrvHvkRsl9A-XXXXXXXXXXXXXX

    Before continuing, verify the record is deployed.
    -------------------------------------------------------------------------------
    Press Enter to Continue

    Go to your domain DNS control panel and create both TXT DNS records with the name as shown in the output of certbot-auto and the value as shown there. Before hitting ENTER to continue, wait a little bit and give the DNS propagation a bit of time. You can use https://www.whatsmydns.net/ to check how well the TXT DNS records have updated all over the world already.
  4. When everything is in order hit the ENTER button on your keyboard and certbot-auto will start to verify the ownership of your domains by looking for the created TXT DNS records and compare them. If everything is good you will see the message below.
    Quote:IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/yourdomain.ext/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/yourdomain.ext/privkey.pem
    Your cert will expire on 2018-06-20. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew *all* of your certificates, run
    "certbot-auto renew"
    - If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Congratulations! You have received your wildcard certificate from Let's Encrypt for your main domains and all subdomains of your main domains. If you also requested one for subdomains of subdomains it will also cover that. So far so good.

As mentioned in the final output the certificate files and the private key are stored in the following location:
/etc/letsencrypt/live/yourdomain.ext/

In general, you will need the three files from the list below when installing the requested certificate in your websites vHosts for your web server.
  1. fullchain.pem (CA cert - intermediate certs - your certificate)
  2. privkey.pem (private key file for your certificate)
  3. chain.pem (CA cert - intermediate certs)



4. Finale

So that's it. It looks like a lot, right? In fact, it's not that much. Just a few commands for the certbot-auto client installation and finally the request to get the certificate. And you have your wildcard certificate from Let's Encrypt free of charge if everything went well.

All you have to do now is to install the certificate in the vHosts of your websites on your web server. I will not cover this. There are good guides available at through Google for your web server. I personally use Nginx and generate the vHost files from zero by myself along with the Mozilla SSL Configuration Creator.

If you have already operated a web server you will probably already know how to install TLS certificates or know where to get the right guides for your web server. So I see no point it covering something that has a lot of documentation available already and that everyone might do differently. Apart from that I really only use Nginx so I wouldn't be able to cover Apache, IIS or another web server. Sorry about that.


Enjoy your free Let's Encrypt wildcard certificates.
Reply
#2
Great tutorial indeed. Thank you @Hidden Refuge for reposting in this forum. As FreeVPS is closing, it is a wise decision as a copyright owner to repost your own valuable works elsewhere to keep them alive.

And your tutorials would be very useful for many users in this forum I believe.
Special thanks to VPSVortex for a great KVM VPS.

Reply
#3
Awesome tutorial! Finally i can secure my vps with lets encrypt.
Thanks Hidden Refuge
Gimme +rep Heart
[Image: img.php?userid=496]
Thanks For Post4VPS and VPSlices for the amazing VPS 4
Reply
#4
Of course great tutorial, no doubt! Thanks @HR for reposting this tutorial it is very precious for us.
Best regards,
Support Team of Post4VPS.
Terminal
Thanks to VirMach for Sponsorship and Thanks Post4VPS for providing me a great VPS: 9
Reply
#5
Thanks alot, A great tutorial.Your all posts are precious for us.I like your posting style also.Great knowledge great information.
You should be a support specialist here. Tongue
Reply
#6
(06-13-2018, 03:36 AM)Rehan Wrote:  Thanks alot, A great tutorial.Your all posts are precious for us.I like your posting style also.Great knowledge great information.
You should be a support specialist here. Tongue

Totally agreed.  I wouldn't be surprised if this is already under discussion by the management.  I totally vote for it.  Maybe they could create a new special wildcard rank for him too.  One where he gets to choose the rank he wants to be any time of the day or week - such as he had at FreeVPS depending on how busy he was? Tongue 

Back to topic.  I found this an awesome tutorial too.  Definitely motivated to try out the Wildcard Certificates.  Thanks for posting it @Hidden Refuge
[Image: 4ax8Kok.png]
Thank you to the Owner & Staff of Post4VPS and VirMach for an awesome VPS 9 experience!




Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
  acmetool (Alternative Let's Encrypt client) | DNS Auth using Cloudflare Conan 1 710 12-02-2016, 02:00 PM
Last Post: Neco

Forum Jump:


Users browsing this thread: 1 Guest(s)

Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - SSDBlaze - VPSlices - Abc-Hosters - Hyper Expert


About Post4VPS

Post4VPS is a forum/destiny where you can Delploy Your Free VPSs just by the Power of Posts.

We Provide VPSs of many locations like Germany,US,Canada,France,London,etc.

We also Provide VPSs of Both Linux and Windows OS.