Let’s Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.
This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.
Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.
sudo add-apt-repository ppa:certbot/certbot
This will add the repository from where certbot can be installed
sudo add-apt-repository ppa:certbot/certbot This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s). More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmp1hyvak__/secring.gpg’ created gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg’ created gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created gpg: key 75BCA694: public key “Launchpad PPA for certbot” imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK
sudo apt update
Run below command to install certbot
sudo apt install certbot
Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.
Replace *.asknetsec.com with your domain name for example *.yourdomainname.com. Once you run this command it will generate a text DNS value.
The command output will be similar to the one below
debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): email@example.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
——————————————————————————- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ——————————————————————————- (Y)es/(N)o: N Starting new HTTPS connection (1): supporters.eff.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for asknetsec.com
——————————————————————————- Please deploy a DNS TXT record under the name _acme-challenge.asknetsec.com with the following value:
Before continuing, verify the record is deployed.
——————————————————————————- Press Enter to Continue
Create a text DNS record for the sub-domain _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.
You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.
Press Enter to Continue Waiting for verification… Cleaning up challenges
IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/asknetsec.com-0001/privkey.pem Your cert will expire on 2018-06-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run “certbot renew” – If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Congratulations!! The wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.