Open in app

Sign in

Write

Sign in

Generating letsencrypt wildcard certificate with certbot

Vyacheslav Voronenko
2 min readMar 21, 2018

--

As you might know, letsencrypt ssl certificates officially reached production state, see https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 .

It is time to give it a try. I have two DNS providers in use: Godaddy and Cloudflare, thus I had to use to different methods to make things happen. At a moment of article writing, certbot was not supporting latest features, thus I had to install latest certbot from sources:

Wildcard certificates require dns validation. Thus, once you installed certbot, look for plugins that support your DNS provider.

In my case there was cloudflare plugin, thus for that domain I was able to achieve fully automatic generation/renewal

Steps to install cloud flare plugin from source follow. Also you might use pip3 manager to do the same.

Clould flare installation

To use the authenticator plugin with CloudFlare, you need to provide CloudFlare api key to the bot so it can edit the domain entries to add validation TXT entry to verify you control the domain. This of course means, that you should take care on configuration files with key.

You need to obtain the Global API key on a CloudFlare website from your user profile, than put those keys into a configuration file. Certbot uses a default directory/etc/letsencrypt. We need to create file /etc/letsencrypt/dnscloudflare.ini to store credentials from CloudFlare.

Ensure file is readable only by allowed persons, saying root.

Certbot Configuration Settings

Wildcard certificates are only available via the v2 API, which I haven’t found in certbot installed from packages, so I had to amend configuration to tell certbot server parameter. Certbot uses the /etc/letsencrypt/cli.ini

Generating certificate in automatic mode with ClouldFlare pluging

Case 2: not supported DNS provider

I have also another domain, used for open source activities. For that domain I had to add validation entry manually. Command is slightly different, note that most of — parameters might go to config files. If you have improvements, comments are welcomed.

During the command run you are asked to put TXT entry into DNS records, and wait for change to propagate

Summary

We’ve successfully used new letsencrypt API go generate wildcard certificate in fully automated mode as well as in manual mode.

Letsencrypt
Wildcard Certificates
Certbot

--

--

Vyacheslav Voronenko

Written by Vyacheslav Voronenko

66 Followers

Software engineer, with project management background. Founder @ softasap.com — cool automation for the people :) — have a problem that needs to be solved?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams