Install a wildcard SSL Certificate with certbot.

Let’s Encypt is an easy and free solution to obtain an SSL certificate for your servers.
The easiest way to obtain a certificate from Let’s Encrypt is certbot, a Python script that obtains, deploys and updates your certificates.
(On Debian/Ubuntu, just apt-get install certbot to install it.)

I decided to add more services and virtual hosts to my server and this would involve installing a certificate for each of them.
To avoid this, I decided to use a wildcard certificate; so, I can use one certificate for *.filenotfound.net, where * can be www, ftp, mail, foo, etc.

To prove that your are asking a certificate for a real host, certbot uses a challenge mechanism based on HTTP or DNS and, if you’re requesting a wildcard certificate, you must have control on your DNS zone, to create a TXT record containing a key, generated by the script; once done, you can remove the TXT record.

root@instance-1:~# certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d '*.filenotfound.net' -d filenotfound.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for filenotfound.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.filenotfound.net with the following value:

qKxKjbO9T_jknlhA21US0HVAmBJDXgE1ijvaqDwLygg

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Add the record to your dns and check with, for example, dnsquery.org until the TXT record is deployed.
Then, press Enter.
If it works, you should see something like this:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/filenotfound.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/filenotfound.net/privkey.pem
   Your cert will expire on 2020-01-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

With the certbot certificates command you can verify that the certificate has been installed.

root@instance-1:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: filenotfound.net
    Domains: *.filenotfound.net filenotfound.net
    Expiry Date: 2020-01-01 12:57:37+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/filenotfound.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/filenotfound.net/privkey.pem
  Certificate Name: www.filenotfound.net
    Domains: www.filenotfound.net
    Expiry Date: 2019-11-10 09:08:19+00:00 (VALID: 37 days)
    Certificate Path: /etc/letsencrypt/live/www.filenotfound.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.filenotfound.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In my case, after replacing the certificate in the web server configuration, I have to remove the old one.

root@instance-1:~# certbot delete --cert-name www.filenotfound.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.filenotfound.net.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Leave a Reply