Generating letsencrypt wildcard certificate with certbot

Published Mar 21, 2018
Generating letsencrypt wildcard certificate with certbot

As you might know, letsencrypt ssl certificates officially reached production
state, see
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578.

It is time to give it a try. I have two DNS providers in use: Godaddy and
Cloudflare, thus I had to use to different methods to make things happen. At a
moment of article writing, certbot was not supporting latest features, thus I
had to install latest certbot from sources:

git clone git@github.com:certbot/certbot.git && cd certbot
sudo python setup.py install

Wildcard certificates require dns validation. Thus, once you installed certbot,
look for plugins that support your DNS provider.

In my case there was cloudflare plugin, thus for that domain I was able to
achieve fully automatic generation/renewal

certbot plugins

-------------------
* standalone
Description: Spin up a temporary webserver

* webroot
Description: Place files in webroot directory
---------------------------------


Additional bundled plugins:


ls | grep certbot-dns
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-google
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53

Steps to install cloud flare plugin from source follow. Also you might use pip3
manager to do the same.

cd certbot-dns-cloudflare 
sudo python setup.py install

Clould flare installation

To use the authenticator plugin with CloudFlare, you need to provide CloudFlare
api key to the bot so it can edit the domain entries to add validation TXT entry
to verify you control the domain. This of course means, that you should take
care on configuration files with key.

You need to obtain the Global API key on a CloudFlare website from your user
profile, than put those keys into a configuration file. Certbot uses a default
directory/etc/letsencrypt. We need to create file
/etc/letsencrypt/dnscloudflare.ini to store credentials from CloudFlare.

# CloudFlare API key information
dns_cloudflare_api_key = yourcloudflarekey
dns_cloudflare_email = yourcloudflarelogin

Ensure file is readable only by allowed persons, saying root.

chmod 600 /etc/letsencrypt/dnscloudflare.ini

Certbot Configuration Settings

Wildcard certificates are only available via the v2 API, which I haven’t found
in certbot installed from packages, so I had to amend configuration to tell
certbot server parameter. Certbot uses the /etc/letsencrypt/cli.ini

# Let's Encrypt site-wide configuration
dns-cloudflare-credentials = /etc/letsencrypt/dnscloudflare.ini
# Use the ACME v2 staging URI for testing things
#server = https://acme-staging-v02.api.letsencrypt.org/directory
# Production ACME v2 API endpoint
server = https://acme-v02.api.letsencrypt.org/directory

Generating certificate in automatic mode with ClouldFlare pluging

sudo certbot certonly -d *.voronenko.info --dns-cloudflare --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for voronenko.info
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/voronenko.info/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/voronenko.info/privkey.pem
   Your cert will expire on 2018-06-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Case 2: not supported DNS provider

I have also another domain, used for open source activities. For that domain I
had to add validation entry manually. Command is slightly different, note that
most of — parameters might go to config files. If you have improvements,
comments are welcomed.

certbot certonly --manual -d *.softasap.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

During the command run you are asked to put TXT entry into DNS records, and wait
for change to propagate

Summary

We’ve successfully used new letsencrypt API go generate wildcard certificate in
fully automated mode as well as in manual mode.

Discover and read more posts from Vyacheslav
get started