Certbot WildCard SSL Cert¶
It is fairly difficult to find an all-in-one how-to for getting a wildcard cert manually using Certbot.
Depending on the route you’d like to take, there’s plenty of ways to install Certbot for use. Even the installer script listed on their site is self-updating and, obviously, the most up-to-date way to use it.
I, currently, am using the
Stretch-Backports installation route rather than downloading the binary directly. Installation through the
apt system sets up a few behind-the-scenes steps for automating your renewal.
sudo apt-get install python3-certbot-nginx
If you are using a DNS provider that has a wonderful API, like Cloudflare (which I use), you can choose to install the plugin for that API as well!
sudo apt-get install python3-certbot-dns-cloudflare
This will install Certbot, along with the
nginx plugins through python, along with the manual DNS flag that we’re planning on using here.
Most everything online will give you stupidly long command lines with a TON of flags and what not. I’d much rather use a nice configuration file!
# This `cli.ini` is for manually getting a wildcard cert manual preferred-challenges = dns cert-name = jpcdi.com rsa-key-size = 4096 email = firstname.lastname@example.org logs-dir = /etc/letsencrypt/logs/ keep-until-expiring expand # Use the ACME v2 staging URI for testing things #server = https://acme-staging-v02.api.letsencrypt.org/directory # Production ACME v2 API endpoint server = https://acme-v02.api.letsencrypt.org/directory domains = *.jpcdi.com, jpcdi.com
So, to break all that down:
manual- means to run with the
--manualflag that you will see in a ton of commands online
preferred-challenges- This is the challenge you’re wanting certbot to use, which for this how to is
cert-name- This is specifically referencing the SSL Certs name for the Directories themselves. If you don’t pick a name here, you’ll end up with A TON of directories, with a ton of numbers and names. (Unless you want that, of course. This helps with automation)
rsa-key-size- is just what it says, how big you want your key to be.
2048being the default.
logs-dir- your logs directory
keep-until-expiring- Makes sure to not create a bunch of duplicate certs
expand- if a prior certificate already existed with one of your requested addresses, rather than overwriting that cert, it expands it with the new names you’ve requested to add.
server- This one is more specific to our DNS address requesting, as a way to make sure we are getting a wildcard certificate. They are only available through the V2 Acme Protocol, so you have to specify the address to use. I’ve included the testing address as well, if you want to run certbot a bunch of times and not let it count against your weekly alotment.
domains- This is where you include the domain addresses you want to use. Make sure you don’t JUST include the wildcard, but the root of the domain as well.
When you use the manual DNS system, it will give you an address and TXT record that you’ll need to add to your main DNS Server’s addressing. It’ll be a good idea to make sure you’re logged into their website, or have the configuration pulled up to where you can make the addition and have it propogate out.
Luckily, the system is good and patient, willing to wait for you to take a while to get that TXT record setup.