Wildcard SSL for Free Using Letsencrypt on CENTOS Server

Our development team members each have their dev server and often need SSL for each of our in house or customer projects. Maintaining SSL certs for such an environment can be painful. But Letsencrypt wildcard is not only free but also super duper easy to set up!

Kabir (ko-bir)
May 17, 2020 · 4 min read
Image for post
Image for post

Wildcard SSL certs usually are relatively expensive if you go with commercial vendors like GoDaddy or such. But we have been using Letsencrypt for all our internal needs. So when a new dev comes onboard and needs a new server, we don’t have to get new SSL certs for all the projects on their newly minted cloud server. Here is how we get the wildcard certs using Letsencrypt set up in literally less than 5 minutes.

In this tutorial, we will assume we are setting up a new dev called Edward P., who will be running his projects on *.ep.evoknow.io server.

Step 1: DNS Setup

Before we can use the wildcard SSL certificates that we will create in a later step, we need to set up some DNS records as follows:

Step 1-A: Set up an Address (A) record for the IP

First, we need an IP address that points to the new host. In this case, we need ep.evoknow.io to point to the server’s IP address. This is done by adding an Address (A) record in the DNS.

Image for post
Image for post

Once the A record is set up, we make sure it is visible to the world by testing with a public DNS server, such as the one provided by Google.

$ dig @8.8.8.8 ep.evoknow.io +short

The answer should be:

$ dig @8.8.8.8 ep.evoknow.io +short
45.79.65.101

Step 1-B: Set up a CNAME record for the wildcard host

Now we need to set up a wildcard CNAME such that *.ep.evoknow.io points to ep.evoknow.io.

Image for post
Image for post

Step 1-C: Test DNS set up

Now we are ready to test the DNS set up. First, we are going to retest the ep.evoknow.io address (A) record, and then we are going to see if our *.ep.evoknow.io CNAME record is working by asking the dig command to see how any random hostname for *.ep.evoknow.io maps back to the A record we set up before.

$ dig @8.8.8.8 ep.evoknow.io +short
45.79.65.101
$ dig @8.8.8.8 ep.evoknow.io +short
45.79.65.101
$ dig @8.8.8.8 helloworld.ep.evoknow.io +short
ep.evoknow.io.
45.79.65.101
$ dig @8.8.8.8 pinkyandthebrain.ep.evoknow.io +short
ep.evoknow.io.
45.79.65.101

As you can see, we can now use any hostname for .ep.evoknow.io and get the appropriate address back. We are all set for the Letsencrypt part of the setup!

Step 2: Letsencrypt Setup

We have already installed certbot-2 package on our CENTOS server, and the installation process is straightforward so that we won’t repeat it here.

To set up the Letsencrypt based wildcard SSL for *.ep.evoknow.io, we will need to use the DNS method of the challenge with Certbot-2. This would mean that we would have to add a temporary TXT challenge token when we issue the following certbot-2 command:

certbot-2 certonly --manual --preferred-challenges=dns --email kabir@evoknow.com --agree-tos -d *.ep.evoknow.io

Certbot-2 tells us to create a TXT record for _acme-challenge.ep.evoknow.io with the value of OsREbrG73yV1FapYVJSOFbXJTd-wBZqyta1jGviOqPA.

We create this TXT record and make sure that a public DNS server such as 8.8.8.8 sees the record before we press ENTER to continue the setup.

$ dig @8.8.8.8 _acme-challenge.ep.evoknow.io TXT  +short
"OsREbrG73yV1FapYVJSOFbXJTd-wBZqyta1jGviOqPA"

Once we see the TXT record is live, we continue with Certbot-2 by pressing the ENTER key, and it creates the wildcard certificates!

Step 3: Set up Nginx with the new certs

Setting up NGINX with SSL is relatively easy and well documented elsewhere, so that we won’t repeat it here. Here is the gist of our setup:

server {listen 443 ssl;....ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
...

Once configured, we restart Nginx, and we are ready to go!

Once all set up is done, access the desired URLs on the browser to ensure that the sites are using SSL is the very last step. Clicking on the LOCK icon should

Image for post
Image for post

Step 4: Automatically renewing the certs

Letsencrypt certs last 90 days by default. So we must renew them every 90 days. To automate this, we create a corn job in renew_ssl.sh in /etc/cron.monthly as follows:

#!/bin/sh/usr/bin/certbot renew
/usr/bin/systemctl restart nginx

This will try to renew the certs every month and restart Nginx once a month. On dev server restarting Nginx in the middle of the night when this monthly corn run is not a big deal. In a production environment, you might want to do this a bit differently.

EVOKNOW

EVOKNOW is a multinational e-commerce service provider and…

Kabir (ko-bir)

Written by

Bio: https://mjkabir.com Contact: kabir@mediumauthor.com

EVOKNOW

EVOKNOW

EVOKNOW is a multinational e-commerce service provider and developer of the LoneTree Commerce platform.

Kabir (ko-bir)

Written by

Bio: https://mjkabir.com Contact: kabir@mediumauthor.com

EVOKNOW

EVOKNOW

EVOKNOW is a multinational e-commerce service provider and developer of the LoneTree Commerce platform.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store