* The cover image is originally by OpenClipart-Vectors and edited with great appreciation.
Introduction
Let's Encrypt supports wildcard certificate via ACMEv2 using the DNS-01 challenge, which began on March 13, 2018.
Certbot, its client, provides --manual
option to carry it out.
I sincerely appreciate them.
I write how I generated my wildcard certificate with Certbot.
It was a very simple task : )
All what was necessary in addition is to add a TXT record specified by Certbot to the DNS server.
* Caution: As it is necessary to update Let's Encrypt's certificate every 90 days, a new TXT record is required at every renewal.
Body
Environment
Tutorial
The command is like this:
# certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.<your.domain>' -d <your.domain>
Make sure to quote *.<your.domain>
to avoid the error "no matches found: *.<your.domain>".
* Note: the order of -d *.<your.domain>
and -d <your.domain>
didn't seem to matter.
Here is the comparison of certonly
options with a single certificate:
- --webroot -w <dir-path>
+ --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok
Besides, the detail of its command line options is here.
Then, the command replies:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for <your.domain>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.<your.domain> with the following value:
<acme-challenge-value>
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Configure the DNS server to add a record to your domain.
The record is like this:
Where | What |
---|---|
Type | TXT |
Name | _acme-challenge |
Value | <acme-challenge-value> the command shows above |
* Note: You might wait here a little while for DNS propagation.
Then press Enter.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<your.domain>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<your.domain>/privkey.pem
Your cert will expire on 2019-08-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Done : )
Conclusion
Thus I got my wildcard certificate and applied to my several servers.
It works fine today and my workload has decreased with almost the same security.
If you are in search for how to apply Let's Encrypt's certificate to OpenBSD httpd server, I wrote here:
Let's Encrypt: Certbot For OpenBSD's httpd
nabbisen ・ Dec 14 '18
Thank you for your reading.
Happy securing.