Install Let’s Encrypt Free SSL Wildcard Certificate on ubuntu 18

Lakin Mohapatra
Nov 29, 2018 · 3 min read

If you want a quick solution for adding SSL/TLS to your website, then you should definitely go ahead with the Internet Security Research Group’s (ISRG) Let’s Encrypt project.

There are many reasons to have SSL certificate on your website.

Let’s Encrypt has started supporting wildcard certificates using its new ACME2 protocol. So we can have one SSL certificate i.e *.example.com which can be used in all subdomains i.e test.example.com , test1.example.com etc.

Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.

sudo add-apt-repository ppa:certbot/certbot

This will add the repository from where certbot can be installed.

Update packages using below command.

sudo apt update

Run below command to install certbot

sudo apt install certbot

Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.

Steps to generate wildcard certificate

$ sudo certbot certonly --manual -d *.example.com -d example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Replace example.com with your own domain name.
We need to create certificate for both *.example.com and example.com. Because by default wildcard certificate will not be generated for domain name without www.

Once you run above command, you will get to see following kind of output.

Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneObtaining a new certificatePerforming the following challenges:dns-01 challenge for example.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please deploy a DNS TXT record under the name_acme-challenge.example.com with the following value:sdsdfj2812121m2n1nsmnsmnxzmxnzmxnzmxnzmxnzmxnzmxzxBefore continuing, verify the record is deployed.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue

In this step, you need to create a DNS TXT record under name _acme-challenge . In needs to be configured inside your Domain provider like GoDaddy etc.

You need to wait for some time as new DNS record takes time to be propagated over the internet. I waited for 10 minutes and pressed enter.

Then you will get following output.

Press Enter to ContinueWaiting for verification...Cleaning up challengesIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/example.com/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/example.com/privkey.pemYour cert will expire on 2019-02-27. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew *all* of your certificates, run"certbot renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donateDonating to EFF:                    https://eff.org/donate-le

Congratulations!! Your wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.

Then you need to manually configure apache virtual host / ngnix location with correct SSL cert path.

<VirtualHost *:443>ServerName example.comServerAlias www.example.comServerAdmin info@example.comDocumentRoot /var/www/www.example.com/public_html<Directory /var/www/www.example.com/public_html>Options -Indexes +FollowSymLinksAllowOverride AllOrder allow,denyallow from all</Directory>ErrorLog ${APACHE_LOG_DIR}/example.com-error.logCustomLog ${APACHE_LOG_DIR}/example.com-access.log combinedSSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pemSSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pemInclude /etc/letsencrypt/options-ssl-apache.conf</VirtualHost></IfModule>

Now verify the syntax of your configuration edits:

sudo apache2ctl configtest

Once your configuration file’s syntax is correct, reload Apache to load the new configuration:

sudo systemctl reload apache2

Certbot can now find the correct VirtualHost block and update it.

Now you are all set !!

Thanks for reading my article.
Please let me know your feedback on below comment box.

Lakin Mohapatra

Written by

Senior Software Engineer | Hungry coder | Proud Indian | Cyber Security Researcher | Ethical Hacker | Blogger | Full Stack Developer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade