Generating letsencrypt Wildcard SSL Certificate using certbot
LetsEncrypt.org has recently added support for wildcard certificates however, the tools have not really started to ship from the official certbot repo, hence this post.
Following are the steps I had to take to setup our nginx letsencrypt wildcard SSL certificate.
Configure your machine from linux command line.
# Pre-requisites export LC_ALL="en_US.UTF-8" export LC_CTYPE="en_US.UTF-8" sudo dpkg-reconfigure locales # Clone the GIT repo with the latest version git clone https://github.com/certbot/certbot cd certbot # Please check the latest stable branch before running this as it’s a very active project git checkout v0.25.x # Run certbot auto sudo ./certbot-auto --os-packages-only ./tools/venv.sh source venv/bin/activate # Generate certificate sudo ./certbot-auto -d avantinsights.com -d *.avantinsights.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly
After this step, you will be prompted to make DNS TXT record entries – twice.
Important thing to remember is don’t be in a rush to make those entries and ‘Press Enter to Continue’..
Because, you want to check whether the newly created DNS entries have propagated properly. You should also check using DNS checking tools to verify that the TXT record lookup shows the correct value.
If your DNS entry look up works, you should see these messages..
Press Enter to Continue Waiting for verification... Cleaning up challenges Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/avantinsights.com/fullchain.pem
else, you will get to see the following error..
Failed authorization procedure. avantinsights.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “j0ERN8fluwHJvtxZtrXdzrHVR50RKw4pw-mK1bhMq9Q" found at _acme-challenge.avantinsights.com
Once you have successfully generated the certificate (it’s valid for 90 days), you can point your NGINX domain(s) and subdomains to the certificate above.
Here is a very useful tool to get the SSL configuration correct as per your web server