LetsEncrypt wildcard subdomain certificates using VestaCP
Introduction
Nowadays, all websites are trying to shift from HTTP to HTTPS. The reason is simple, HTTPS provides more security. But HTTPS is not new. It has been around for some time now. Why, then, the sudden surge for the shift? Because, browsers have started giving warnings when webpages containing sensitive input fields are not using HTTPS (e.g. login page).
SSL Certificates
The domain that's trying to shift to HTTPS, needs a signed SSL certificate. An SSL certificate can be self-signed or can be signed by a trusted third-party provider (recommended). Although, there are many (paid) trusted third-party providers, LetsEncrpyt is the most popular (free) provider. LetsEncrypt provides free SSL certificates valid for 3 months. The certificates can be renewed before expiry (free of cost). So once an SSL certificate is installed, the domain admin just has to keep renewing them every 3 months.
How to shift from HTTP to HTTPS?
Single subdomain SSL cert + VestaCP
VestaCP users who have a site running on a single subdomain (like www.example.com) can follow these steps:
- Login to Vesta Control Panel
- Go to WEB
- Click EDIT for the domain that needs the SSL certificate
- Select the SSL Support checkbox and then on LetsEncrypt Support
- Click Save
- Now access your website with https (
https://www.example.com)
VestaCP will take care of auto-renewing the SSL certificates for you.
Wildcard subdomain SSL cert + VestaCP
This gets a little trickier when users want an SSL certificate for wildcard subdomain (like *.example.com). This is required when the web application has dynamic subdomains for their clients, for example.
- Client lorem :
lorem.example.com - Client ipsum :
ipsum.example.com - Client dolor :
dolor.example.com
LetsEncrypt does not provide a script for auto-renewing certificates with wildcard subdomain. There's a script certbot-auto that can be setup in cron (if using Linux), that can auto-renew single domain SSL certificates. The same script can also be used to manually install and renew wildcard subdomains.
The following steps assume that the OS is Linux.
- Get the
certbot-autoutility
$ wget https://dl.eff.org/certbot-auto
- Make it executable by all
$ chmod a+x ./certbot-auto
- Install the wildcard subdomain SSL certificate
$ sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.example.com -d *.scm.example.com
Note: Please replace example.com with your domain.
- You will get a message similar to this
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.scm.example.com with the following value:
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
DO NOT press Enter yet
You need to open your VPS/shared hosting control panel and create/update the mentioned DNS TXT record.
Open another terminal to verify that the DNS TXT record was successflly deployed. You can do so with
$ nslookup -type=TXT _acme-challenge.scm.example.com
You must get an output similar to this
Server: 192.XXX.XXX.XXX
Address: 192.XXX.XXX.XXX#XX
Non-authoritative answer:
_acme-challenge.scm.example.com text = "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"
- Now, return to the previous terminal and press
Enter.
You will get an output like so
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-06-12. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To non-interactively
renew *all* of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: hntps://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have sucessfully installed the SSL certificates for the wildcard subdomain.
Configure VestaCP
You need to tell VestaCP about the newly installed certificates.
In Vesta Control Panel
- Go to WEB > example.com > EDIT
- Select SSL Support checkbox (DO NOT select the LetsEncrypt Support checkbox).
- Add the keys as given below manually in Vesta Control Panel under the corresponding textarea. (you may run the following commands in terminal to see the files).
$ more /etc/letsencrypt/live/example.com/cert.pem
^ Copy contents into "SSL Certificate" field.
$ more /etc/letsencrypt/live/example.com/privkey.pem
^ Copy contents into "SSL Key" field.
$ more /etc/letsencrypt/live/example.com/chain.pem
^ Copy contents into "SSL CA / Intermediate" field.
Certificate Renewal
Wildcard subdomain certificates cannot be auto-renewed. But manual renewal is simple.
Command to renew should be exactly the same as command for certificate installation.
Example:
$ sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.example.com -d *.scm.example.com
Next, the newly generated certificate keys should reflect in the Vesta Control Panel as well.
Follow the steps mentioned in "Configure VestaCP" section.
Renewal is complete.
Thank you for documenting the process. It seems to work very well and VestaCP is now showing the certificate as *.xyz.com, instead of xyz.com. I can go to any of the sub-domains and not get a cert error but the main domain, www.xyz.com or xyz.com now is getting a cert error. Any suggestions on how to fix it?
The process should be followed only for wildcard subdomains. If you have other explicit subdomains like www or dev or mail, you need to install separate certificates for each one of them.
Thank you. I created a new cert listing xyz.com and *.xyz.com and it seems to be working now.