Using certbot to generate letsencrypt wildcard SSL certificates

Generating letsencrypt Wildcard SSL Certificate using certbot

LetsEncrypt.org has recently added support for wildcard certificates however, the tools have not really started to ship from the official certbot repo, hence this post.

Following are the steps I had to take to setup our nginx letsencrypt wildcard SSL certificate.

Steps

Configure your machine from linux command line.

# Pre-requisites
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
sudo dpkg-reconfigure locales
# Clone the GIT repo with the latest version
git clone https://github.com/certbot/certbot
cd certbot

# Please check the latest stable branch before running this as it’s a very active project
git checkout v0.25.x
# Run certbot auto
sudo ./certbot-auto --os-packages-only
./tools/venv.sh
source venv/bin/activate
# Generate certificate
sudo ./certbot-auto -d avantinsights.com -d *.avantinsights.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

After this step, you will be prompted to make DNS TXT record entries – twice.

Important thing to remember is don’t be in a rush to make those entries and ‘Press Enter to Continue’..

Because, you want to check whether the newly created DNS entries have propagated properly. You should also check using DNS checking tools to verify that the TXT record lookup shows the correct value.

If your DNS entry look up works, you should see these messages..

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/avantinsights.com/fullchain.pem

else, you will get to see the following error..

Failed authorization procedure. avantinsights.com (dns-01): 
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “j0ERN8fluwHJvtxZtrXdzrHVR50RKw4pw-mK1bhMq9Q" found at _acme-challenge.avantinsights.com

Once you have successfully generated the certificate (it’s valid for 90 days), you can point your NGINX domain(s) and subdomains to the certificate above.

Here is a very useful tool to get the SSL configuration correct as per your web server

Mozilla SSL Configuration Generator

 

Generating RSA Keys using OpenSSL command line

Generate 2048 bit private-public key pair

openssl genrsa -des3 -out private.pem 2048

You will be prompted for a passphrase for private key, make sure you remember the passphrase you use.

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

If you want unencrypted private key, you can get it with the following command (optional)

openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM

Official OpenSSL docs reference