Pablo Andrés Dorado Suárez

How to: get free wildcard subdomain certificates using Let's Encrypt

Pablo Andrés Dorado Suárez -

Do you already know Let's Encrypt, have your DNS Plugin installed and want a TL;DR? Of course, here you got.

$ history -c && sudo su - && exit
# pip3 install certbot-dns-«yourDNSProvider»
# certbot --server https://acme-v02.api.letsencrypt.org/directory \
    --authenticator dns-«yourDNSProvider» \
    --dns-«yourDNSProvider»-options … \
    --installer nginx|apache \
    -d *.yourdomain.tld
# history -c && exit

If you don't already know what I'm talking about, or why am I so excited about this, follow me.

A brief history of Let's Encrypt

Almost two years ago, a promise of having a safer web through the democratisation of HTTPS arrived with the introduction of a brand-new, free, automated-issuing and open Certificate Authority. Its name was Let's Encrypt.

On March 13th 2018, they launched the support for ACMEv2 features which, among others, include signing wildcard domains after verifying them via a DNS verification.

Summary

If you'd like to successfully install a wildcard subdomain certificate and setup your environment to

The following steps apply to any webserver and almost any DNS Provider —although if your DNS isn't any of the supported providers/mechanisms here listed here, I strongly recommend you to change your provider or server configuration—. However, for the sake of the example —and because that's the DNS Provider and Webserver I use, prefer and recommend— this guide was written using Ubuntu Server as the distro, Cloudflare as the DNS and nginx as the webserver.

  1. Install/Update to the latest version of Certbot.
  2. Install your DNS provider plugin.
  3. Get the certificate.

1. Install/Update to the latest version of Certbot

This is the most crucial step, since you need certbot installed in order of running it —don't you? Maybe you are a wizard—, and it's already well explaied in the certbot's webpage.

First, establish a connection to your server via ssh and login as root, you know, in order to avoid further sudo writing —believe that's a bad practice? Tell me in the comments below—.

$ ssh username@yourdomain.tld
$ history -c && sudo su -

Then, follow the instructions given by certbot's webpage. These are mine.

# apt-get update
# apt -y install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt -y install python-certbot-nginx

However, if you already had installed certbot, you'll need to update to latest version in order to fully support the ACMEv2 challenges (and fix some bugs that happened in previous versions).

# apt-get update && apt -y dist-upgrade && apt -y autoremove

2. Install your DNS provider plugin

Now you've installed certbot, you gotta make sure you're installing a DNS authentication plugin. The complete list of plugins is here.

(Optional) Install pip.

If you've never installed a version of pip (a python package manager) in your server for any reason, you'll probably need to do it, right now. And it's actually a quite simple step.

# apt -y install python3-pip

Install the plugin

Now, here's the shortest step.

# pip3 install certbot-dns-cloudflare

3. Get the certificate

For this step, I'll assume you've previously configured your webserver at least once, and it's pointing to your DNS provider. Haven't you? Here's a quick guide of how to configure an nginx webserver in Ubuntu Server 16.04 —yup, those tutorials never get old—.

Gather the DNS provider credentials

Write a file in your user location that goes by the name of ~/.secrets/cloudflare/credentials.ini and contains the credentials asked by by the plugin.

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

Ask Let's Encrypt for the certificate

Now, the time we were waiting for so long.

# certbot --server https://acme-v02.api.letsencrypt.org/directory \
    --authenticator dns-cloudflare \
    --dns-cloudflare-credentials ~/.secrets/cloudflare/credentials.ini \
    --installer nginx|apache \
    -d *.yourdomain.tld
# history -c && exit

Each plugin will ask for different options, and it's up to you to find them out. They're pretty simple.

Now, you'll be conducted into a wizard that'll ask you your email (for domain identification and further contact), and some data usage agreements. These guys are cool and don't want to do any harm, more than making the web safer; however, be careful and read everything.

Then, there are two or three instructions, asking you about which domains apply to your certificate request, whether you want to redirect HTTP to HTTPS and which "virtual boxes" apply to your domain configuration.

You'll end up with your website having your SSL certificated installed.