With the internet, web and computer security becoming a crucial part of our everyday lives. It has become more important than ever to ensure that you have SSL certificates on your website. Just last week, Google Chrome, one of the major browsers with a 59% market share is highlighting the need for SSL in the latest update. Below is a screenshot of how Chrome presented websites before and after the update.
With that said, getting an SSL certificate can cost you an upwards of about $80 a year. Let’s Encrypt has completely changed the game when it comes to this. In the last couple of years, with the support of big companies such as Google, Mozilla and Cloudflare, Let’s Encrypt has been providing completely free SSL certificate for all websites.
Now let’s talk about Let’s Encrypt, Let’s Encrypt is an SSL certificate authority (similar to GoDaddy, Verizon, Trsutwave, StartCom among others) managed by the Internet Security Research Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy free SSL certificates that are trusted by nearly all major browsers. According to the last update from Let’s Encrypt, they have issued about 70 million certificates.
We provide HTTPS certificates to over 70 million domains. Is yours one of them? Donate and support a more secure Web! https://t.co/swycXbtpSz pic.twitter.com/xGiEiipOCB
— Let's Encrypt (@letsencrypt) March 24, 2018
Now, let’s get to the purpose of this tutorial. When Let’s Encrypt launched they were only issuing certificates for single domains. Basically, you couldn’t get a wildcard certificate. If you have multiple subdomains, such as sub1.domain.com, sub2.domain.com etc, you have to list all the domains when generating the certificate. Every time you added a new subdomain, you had to add the domain to regenerate the certificate.
The good news is that a few weeks ago, Let’s Encrypt introduced the ability to generate wildcard certificates for domains such as *.domain.com. That way, all subdomains get covered by one certificate. This is a total game changer. This can save time, money and make it flexible when working with SSL and subdomains.
In this tutorial, we will be covering how to generate a wildcard SSL certificate for a domain. Before we start we want to make sure that you have the prerequisites. For the purpose of this article, we will be installing it on Ubuntu, however, most of the concepts apply to other operating systems.
First, we want to install git. We will be using that to install certbot, which will be allowing us to install the certificate.
# apt-get update # apt-get upgrade # apt-get install git # cd /opt # git clone https://github.com/certbot/certbot.git
After successfully installing the certbot app, you can run change directory into the certbot folder by typing cd certbot. Once you are in the folder, you then run the command below by specifying your email, and a list of domains. Since we are working on generating a wildcard certificate, you have to specify the root domain and all subdomains. In this case we just specify pagewoo.com and then *.pagewoo.com.
./certbot-auto certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.pagewoo.com -d pagewoo.com
Once you have run that command, certbot will ask you to add a TXT record to your domain to confirm that you own the domain. In your DNS provider, you’ll create a new DNS TXT record with. Record Name: _acme-challenge (you may or may not need the .pagewoo.com suffix depending on your DNS provider. Record Value: VWHqMqojnAZb8oLV2ZMaqaeUUyiTAX4-3KeokqJ69hE (replace this with the value provided by Certbot).
Since DNS entries take a while to propagate, you want to reduce the TTL on them to make the change show up. If you are using cloudflare, you can set the TTL to 2 min to make the changes show up quickly.
Save your DNS settings and hit Enter in the Certbot window to trigger the check. Below you will see the complete output of how the output looks once you run the certbot.
root@test-box:~/certbot# ./certbot-auto certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.pagewoo.com -d pagewoo.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None ------------------------------------------------------------------------------- You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/pagewoo.com.conf) It contains these names: *.pagewoo.com You requested these names for the new certificate: *.pagewoo.com, pagewoo.com. Do you want to expand and replace this existing certificate with the new certificate? ------------------------------------------------------------------------------- (E)xpand/(C)ancel: E Renewing an existing certificate Performing the following challenges: dns-01 challenge for pagewoo.com dns-01 challenge for pagewoo.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.pagewoo.com with the following value: LwAX8Rt1lmC3E43fbD-5P1f9kXdlpkxhvptz3EmzKV8 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.pagewoo.com with the following value: uWlvtpxXO7ykNyjgDT-PpisEA15pBqJLX9V_5bzmlJs Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/pagewoo.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/pagewoo.com/privkey.pem Your cert will expire on 2018-06-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Once you have successfully installed the certificate, you can check whether the certificate has been successfully installed by running the command ./certbot-auto certificates. This lists the domains and the location when the certificate files are located.
root@testbox:~/certbot# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: pagewoo.com
Domains: *.pagewoo.com pagewoo.com
Expiry Date: 2018-06-26 19:07:50+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pagewoo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pagewoo.com/privkey.pem
-------------------------------------------------------------------------------
root@test-box:~/certbot#
Once you see an output like the one displayed in the snippet above, you can then update your web server with the correct paths. We hope you enjoyed reading this tutorial and it helped you set up a free wildcard SSL certificate for your domain.
