How to Generate And Renew Wildcard SSL Certificate With Letsencrypt
Generating Certificates
In this post we will generate a wildcard SSL certificate. This SSL certificate is for domain.
Make Sure locale is set.
export LC_ALL=”en_US.UTF-8″
export LC_CTYPE=”en_US.UTF-8″
Install Certibot
chmod a+x ./certbot-auto
sudo ./certbot-auto
Obtaining Certificates Using Manual Mode
Manual mode means that you need to complete the DNS challenge by doing a DNS TXT record entry manually to prove that you own the domain. Run the following command to obtain the SSL certificate. Here we are generating for nginx so put “-i nginx”, if you want to use it for apache, replace “nginx“ with apache.
./certbot-auto -i nginx --server --manual --preferred-challenges dns -d * -d --no-bootstrap
The certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:
Please deploy a DNS TXT record under the
name with the following value:
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
You can deploy this DNS TXT record using your domain control panel (Route53 in this case). Once you have completed the TXT record deployment, you need to verify that it is working using nslookup:
Server: 192.XXX.XXX.XXX
Address: 192.XXX.XXX.XXX#XX
Non-authoritative answer: text =
When you have verified that the TXT record is properly deployed and accessible using nslookup command then proceed to the next challenge. It will ask again to deploy another DNS TXT record, so repeat the same again and move ahead.
If you’ve multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. You can leave this step as you need to carefully modify the nginx config file manually instead of certbot modifying it for you.
When the certificate will be issued and you should see something like:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ Your key file has been saved at: /etc/letsencrypt/live/ Your cert will expire on 2018-12-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt:
Donating to EFF:
The certificates obtained can be seen by the following commands:
cd /etc/letsencrypt/live/
cat fullchain.pem
cat privkey.pem
Renewing The Certificates
Since we have created the wildcard certificate using Manual Mode, then we need to repeat the above steps every time we want to renew your wildcard certificate.