Generating letsencrypt wildcard certificate with certbot
As you might know, letsencrypt ssl certificates officially reached production
It is time to give it a try. I have two DNS providers in use: Godaddy and
Cloudflare, thus I had to use to different methods to make things happen. At a
moment of article writing, certbot was not supporting latest features, thus I
had to install latest certbot from sources:
git clone firstname.lastname@example.org:certbot/certbot.git && cd certbot sudo python setup.py install
Wildcard certificates require dns validation. Thus, once you installed certbot,
look for plugins that support your DNS provider.
In my case there was cloudflare plugin, thus for that domain I was able to
achieve fully automatic generation/renewal
certbot plugins ------------------- * standalone Description: Spin up a temporary webserver * webroot Description: Place files in webroot directory --------------------------------- Additional bundled plugins: ls | grep certbot-dns certbot-dns-cloudflare certbot-dns-cloudxns certbot-dns-digitalocean certbot-dns-dnsimple certbot-dns-dnsmadeeasy certbot-dns-google certbot-dns-luadns certbot-dns-nsone certbot-dns-rfc2136 certbot-dns-route53
Steps to install cloud flare plugin from source follow. Also you might use pip3
manager to do the same.
cd certbot-dns-cloudflare sudo python setup.py install
Clould flare installation
To use the authenticator plugin with CloudFlare, you need to provide CloudFlare
api key to the bot so it can edit the domain entries to add validation TXT entry
to verify you control the domain. This of course means, that you should take
care on configuration files with key.
You need to obtain the Global API key on a CloudFlare website from your user
profile, than put those keys into a configuration file. Certbot uses a default
/etc/letsencrypt. We need to create file
/etc/letsencrypt/dnscloudflare.ini to store credentials from CloudFlare.
# CloudFlare API key information dns_cloudflare_api_key = yourcloudflarekey dns_cloudflare_email = yourcloudflarelogin
Ensure file is readable only by allowed persons, saying root.
chmod 600 /etc/letsencrypt/dnscloudflare.ini
Certbot Configuration Settings
Wildcard certificates are only available via the v2 API, which I haven’t found
in certbot installed from packages, so I had to amend configuration to tell
certbot server parameter. Certbot uses the
# Let's Encrypt site-wide configuration dns-cloudflare-credentials = /etc/letsencrypt/dnscloudflare.ini # Use the ACME v2 staging URI for testing things #server = https://acme-staging-v02.api.letsencrypt.org/directory # Production ACME v2 API endpoint server = https://acme-v02.api.letsencrypt.org/directory
Generating certificate in automatic mode with ClouldFlare pluging
sudo certbot certonly -d *.voronenko.info --dns-cloudflare --agree-tos Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-cloudflare, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for voronenko.info Starting new HTTPS connection (1): api.cloudflare.com Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges Starting new HTTPS connection (1): api.cloudflare.com IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/voronenko.info/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/voronenko.info/privkey.pem Your cert will expire on 2018-06-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
Case 2: not supported DNS provider
I have also another domain, used for open source activities. For that domain I
had to add validation entry manually. Command is slightly different, note that
most of — parameters might go to config files. If you have improvements,
comments are welcomed.
certbot certonly --manual -d *.softasap.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
During the command run you are asked to put TXT entry into DNS records, and wait
for change to propagate
We’ve successfully used new letsencrypt API go generate wildcard certificate in
fully automated mode as well as in manual mode.