How to generate letsencrypt Wildcard SSL certificate Step-By-Step

In 2017 letsencrypt announced that it will begin issuing wildcard certificates in January of 2018.  While installing it, I faced lots of issues but thanks to letsencrypt community and support, I was able to do it. Here is documentation of whole process which will help you do this quickly.


sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d example.com -d *.example.com --manual --preferred-challenges dns-01 certonly

After you run this command, you need to accept logging your servers IP publicly.

Also, you need to have access to add TXT record in your hosting provider. Here is screenshot of adding TXT record in digital ocean.

Once you add TXT record as required, please wait for 1-3 seconds before hitting enter.

$sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d goingplaces.me -d *.goingplaces.me --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for goingplaces.me
dns-01 challenge for goingplaces.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.goingplaces.me with the following value:

xxxxxxxxxxxxxx_yyyyyyyyyy_zzzzzzzzzzzzzzzzz

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.goingplaces.me with the following value:

xxxxxxxxxxxxxxxxxxxx_yyyyyyyyyyyy_zzzzzzzzz

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-12-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Above command is run with certonly, meaning you need to add configuration manually in your nginx file.

add below to main server block


 # managed by Certbot

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

and new server block


server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name example.com www.example.com;
    listen 80;
    return 404; # managed by Certbot
}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.