Using certbot to generate letsencrypt wildcard SSL certificates

Generating letsencrypt Wildcard SSL Certificate using certbot

LetsEncrypt.org has recently added support for wildcard certificates however, the tools have not really started to ship from the official certbot repo, hence this post.

Following are the steps I had to take to setup our nginx letsencrypt wildcard SSL certificate.

Steps

Configure your machine from linux command line.

# Pre-requisites
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
sudo dpkg-reconfigure locales
# Clone the GIT repo with the latest version
git clone https://github.com/certbot/certbot
cd certbot

# Please check the latest stable branch before running this as it’s a very active project
git checkout v0.25.x
# Run certbot auto
sudo ./certbot-auto --os-packages-only
./tools/venv.sh
source venv/bin/activate
# Generate certificate
sudo ./certbot-auto -d avantinsights.com -d *.avantinsights.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

After this step, you will be prompted to make DNS TXT record entries – twice.

Important thing to remember is don’t be in a rush to make those entries and ‘Press Enter to Continue’..

Because, you want to check whether the newly created DNS entries have propagated properly. You should also check using DNS checking tools to verify that the TXT record lookup shows the correct value.

If your DNS entry look up works, you should see these messages..

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/avantinsights.com/fullchain.pem

else, you will get to see the following error..

Failed authorization procedure. avantinsights.com (dns-01): 
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “j0ERN8fluwHJvtxZtrXdzrHVR50RKw4pw-mK1bhMq9Q" found at _acme-challenge.avantinsights.com

Once you have successfully generated the certificate (it’s valid for 90 days), you can point your NGINX domain(s) and subdomains to the certificate above.

Here is a very useful tool to get the SSL configuration correct as per your web server

Mozilla SSL Configuration Generator