Mark Quirvien Cristobal

Generate Free Wildcard SSL certificate using Let's Encrypt/Certbot

 1. Generate the wildcard SSL certificate

/opt/certbot/certbot-auto certonly --manual --preferred-challenges=dns --email my@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mydomain.com -d mydomain.com

Note: You need to replace my@email.com, *.mydomain.com and mydomain.com with your actual information.

2. Verify domain's ownership

Let’s Encrypt Wildcard certificates only accepts DNS challenge method, which we can invoke by using the preferred-challenges=dns flag.

After executing the command on step 1, the Certbot will return a text record that you should add on your DNS.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.vhinandrich.com with the following value:

vE7k91-8K9XPyMcNYFXP19Ijv7T4o0GAkJnRlwW7af0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Host: _acme-challenge
Value: vE7k91-8K9XPyMcNYFXP19Ijv7T4o0GAkJnRlwW7af0

Create TXT record via DNS console and setup key and value

acme challenge txt record dns

3. Get your Certificate

After adding the dns challange, you can proceed with the generate certificate. It will return you the path of ssl certicates and chain.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2020-09-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4. Verify the Certificate

To check the validity of all your certificates, you can run this in your command line

/opt/certbot/certbot-auto certificates

Return: 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mydomain.com
    Serial Number: 3e53264dd24388560fb3dd95e2aa5970bbd
    Domains: *.mydomain.com mydomain.com
    Expiry Date: 2020-09-07 02:43:05+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mydomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mydomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

Note: Renewal will always have to be done manually for wildcard certificates because of the dns challenge requirment. Thus you won't be able to create cronjobs to renew wildcard certificates.