Obtain a Free Wildcard SSL Certificate using LetsEncrypt Certbot (Manual & Automatic DNS verification)
Information security is a prime aspect while using Intenet. HTTPS protocol ensures that the data sent from our computer to the site we’re browsing is encrypted and securely transmitted. To achieve an end to end secure encryption, we use SSL (Secure Sockets Layer). We need to configure SSL certificates on our respective Web Server like Apache2, Nginx, etc.
LetsEncrypt is a free, automated, open-source Certificate Authority (CA) that runs for the public benefits and provides free SSL certificates. The only limitation is LetsEncrypt issues SSL certificate for 90 days only and we have to renew the certificate after that using automate or manual process.
We can obtain SSL certificates for a single domain like example.com or subdomain like test.example.com. We can also combine multiple domain names like test1.example.com & test2.example.com and get a single SSL certificate for both domain names.
The main challenge comes when we need a wildcard SSL certificate for our domain like *.example.com which includes the actual domain name as well as all sub-domains. In this section, we will learn how to generate a Wildcard SSL certificate using the DNS challenge. If we don’t require a Wildcard SSL certificate, we can use other simple methods to get the single or multi-domain SSL certificates.
Letsencrypt provides support with various plugins available for the majority of Cloud Service Providers like Azure, AWS, etc. We’ll be using dns_route53 plugin which uses ACME DNS-01 challenge to automate the process of completing a dns-01 challenge (DNS01) by creating, and subsequently removing, TXT records using the Amazon Web Services Route 53 API.
Prerequisites :
Ubuntu 18.04 (I used for this setup), python3, pip3, and LetsEncrypt
Install LetsEncrypt Certbot on Ubuntu 18.04:
We need to install Certbot first. To install Certbot, we need to run the following commands.
sudo apt update
sudo apt install software-properties-common
sudo apt update
sudo apt install python3-pip
sudo apt install letsencrypt
The above steps will install python3, pip3, and LetsSncrypt on the Ubuntu machine.
Note: we can use apt-get instead of apt as well.
Install and configure AWS Plugin (dns_route53)
We need dns_route53 plugin for automatic creation and subsequent modification of TXT records using the Amazon Web Services Route 53 API. But before that, we would require to configure AWS Access Key and Secret Access Key so that dns_route53 API can perform the appropriate actions.
Note: AWS user should have appropriate Programming Console Access to run the dns_route53 actions.
Optional steps:
We can install AWS CLI to check and configure AWS Access Key using following commands:
sudo apt install awscli
sudo aws --version
We can configure AWS Access Key ID and Secret Key using AWS CLI or manual as well. To Configure using AWS CLI:
sudo aws configure
AWS Access Key ID:
AWS Secret Access Key:
Default region name:
If we want to configure AWS Access Key manually then we need to create a folder .aws in the home directory of the user and create a file credential and add following values:
[default]
aws_access_key_id=abcdefgh
aws_secret_access_key=abcdefgh
We can optionally check AWS credentials by checking S3 buckets.
AWS s3 ls
This command will provide the list of all configured S3 bucket for the account if we have given appropriate permissions to the user. If we have not given s3 permissions and only Route53 permissions are given then we can follow the next steps.
Now, we can install the dns_route53 plugin for the Certbot. For that first, we have to check the version of Certbot and the same version need to install.
sudo certbot --version
sudo pip install certbot_dns_route53
Now, we will generate an initial SSL certificate for the domain. We can use *.example.com or add with SAN example.com.
certbot certonly -- dns-route53 -- logs-dir /directory/letsencrypt/log/ -- config-dir /directory/letsencrypt/config/ work-dir /directory/letsencrypt/work/ -m email@example.com --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory -d example.com -d *.example.com
This command will generate the wild card SSL certificate, key, chain and fullchain for the given domain. We can use the ACME DNS validation for generating single domain SSL certificate as well by passing single domain name.
To renew the certificates:
We just need to run a simple command to renew the SSL certificate. We can also schedule Crontab for auto-renew the pending certificates.
sudo certbot renew
To set up crontab:
sudo crontab -e
And add the following line to schedule a cronjob:
* 2 * * * certbot renew
This will run a cronjob at 2:00 every day and renew SSL certificate those are pending for renewal in coming 30 days.
Sometimes web server needs to be stopped if the certificates are obtained by the manual process of validating using temporary webserver spin on port 80. So, we need to stop the webserver and then run the certbot renew command.
Please use this guide to get a free wildcard SSL certificate for the web application and secure the environment. Please let me know if you find any discrepancies in using the guidelines.
Thank you.