Getting a wildcard SSL certificate using Certbot and deploy on Nginx
You can get a wildcard SSL certificate via DNS-01 challenge type using Certbot.
You must either install a DNS Plugin to do this challenge automatically, or you must do it manually. In this post I describe the both cases!
Before we begin, make sure you have a most recent version of Certbot installed. To install Certbot using Ubuntu PPAs:
echo "deb http://ppa.launchpad.net/certbot/certbot/ubuntu bionic main" | sudo tee -a /etc/apt/sources.listsudo apt update && sudo apt install -y certbot
Phase One: Getting the certificate
1. Using Certbot DNS Plugins:
Install a DNS Plugin for your DNS provider first. You can find a list of Cerbot DNS Plugins here. We’re using Cloudflare DNS Plugin. To install it:
sudo apt install python3-certbot-dns-cloudflare
Open up a file to inform this plugin about how to access the Cloudflare API.
Note: Before going any further, don’t forget that it is important to keep this file safe.
mkdir -p ~/.secrets && vim ~/.secrets/cloudflare.ini
If you’re using a Global API Key, fill the file in this format:
dns_cloudflare_email = cloudflare@example.comdns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234
Otherwise, if you’re using a Restricted API Token:
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
Now we’re ready to go (don’t forget to replace your domain name):
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d "*.<DOMAIN_NAME>"
This command will deploy a TXT DNS Record on your Cloudflare account, and after the challenge-response authentication, will delete it.
2. Manually:
To get certificates manually, run this command (don’t forget to replace your domain name):
sudo certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns-01 -d "*.<DOMAIN_NAME>"
After running this command, Certbot will tell you some info about a TXT DNS record that you must add in order to prove that you control the DNS for provided domain name.
Add that TXT record in your DNS dashboard and press enter.
Phase Two: Modifying Nginx VirtualHost file to use the certificate:
By doing Phase One, Let’s Encrypt will verify your ownership and Certbot will save your certificate information in the /etc/letsencrypt/live/<DOMAIN_NAME>
directory:
/etc/letsencrypt/live/<DOMAIN_NAME>/fullchain.pem # Is where full certificate trust chain can be found/etc/letsencrypt/live/<DOMAIN_NAME>/privkey.pem # Is where your certificate private key is stored
This is an example, for men who prefer doing things by sed
ing:
server { server_name *.<DOMAIN_NAME>; location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://<SOMEWHERE_ELSE>; } listen 443 ssl; ssl_certificate /etc/letsencrypt/live/<DOMAIN_NAME>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<DOMAIN_NAME>/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;}server { if ($host ~ <DOMAIN_NAME>) { return 301 https://$host$request_uri; } listen 80; server_name *.<DOMAIN_NAME>; return 404;}
Note: if you want to also use your <DOMAIN_NAME>
without subdomains, you could add another -d
option to get a certificate for it:
sudo certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns-01 -d "*.<DOMAIN_NAME>" -d "<DOMAIN_NAME>"
And in Nginx config, it is sufficient to remove *
from server_name
(Make it .<DOMAIN_NAME>
). [Source]
Finally, reload Nginx configurations:
sudo nginx -t && sudo service nginx reload
Now your new certificate is ready to secure your connections!