How to Generate And Renew Wildcard SSL Certificate With Letsencrypt
Generating Certificates
In this post we will generate a wildcard SSL certificate. This SSL certificate is for appychip.com domain.
Make Sure locale is set.
export LC_ALL=”en_US.UTF-8″
export LC_CTYPE=”en_US.UTF-8″Install Certibot
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo ./certbot-autoObtaining Certificates Using Manual Mode
Manual mode means that you need to complete the DNS challenge by doing a DNS TXT record entry manually to prove that you own the domain. Run the following command to obtain the SSL certificate. Here we are generating for nginx so put “-i nginx”, if you want to use it for apache, replace “nginx“ with apache.
./certbot-auto -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.appychip.com -d appychip.com --no-bootstrapThe certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:
Please deploy a DNS TXT record under the
name _acme-challenge.webengage.com with the following value:
nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to ContinueYou can deploy this DNS TXT record using your domain control panel (Route53 in this case). Once you have completed the TXT record deployment, you need to verify that it is working using nslookup:
nslookup
-type=TXT _acme-challenge.appychip.com
Server: 192.XXX.XXX.XXX
Address: 192.XXX.XXX.XXX#XX
Non-authoritative answer:
_acme-challenge.appychip.com text =
"nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8"When you have verified that the TXT record is properly deployed and accessible using nslookup command then proceed to the next challenge. It will ask again to deploy another DNS TXT record, so repeat the same again and move ahead.
If you’ve multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. You can leave this step as you need to carefully modify the nginx config file manually instead of certbot modifying it for you.
When the certificate will be issued and you should see something like:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/appychip.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/appychip.com/privkey.pem Your cert will expire on 2018-12-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leThe certificates obtained can be seen by the following commands:
cd /etc/letsencrypt/live/appychip.com/
cat fullchain.pem
cat privkey.pemRenewing The Certificates
Since we have created the wildcard certificate using Manual Mode, then we need to repeat the above steps every time we want to renew your wildcard certificate.