Wildcard Certificates
Wildcard certificates can be generated currently (May 2020) only using certbot
as acmetool
does not officially support it in it's stable release.
Procedure
Using the certbot docker image, run the following command for the necessary domain:
docker run -it --rm --name letsencrypt -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly -d "*.<domain>" --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory The command uses the following options - certonly ; Only generate the certs and don't modify existing nginx config. - --manual ; manually verify the domain. - --preferred-challenges dns; use a TXT record to verify domain ownership. - acme-v02.api ; This API provides wildcard certs.
The interactive script will ask for certain details such as email-ids.
The script will prompt the user to add a TXT record with your DNS provider with the provided name. Login to
transip.nl
and add the record to the domain.Note: Certbot has dns plugins for most major DNS providers (except transip) and using the plugin is the preferred way if it exists.
The record takes about 5 mins to be published.
Once published, press enter and if everything was successful, your certs will be placed in
/etc/letsencrypt/live/<domaim>/
Nginx configuration
The cert (fullchain.pem) and the private key (privkey.pem) need to be linked to the location in nginx. A sample config is provided below:
server { listen 443 ssl; server_name *.domain; ssl_certificate <path>/fullchain; ssl_certificate_key <path>/privkey; ... }
Make sure to restart nginx and test this using the link below:
https://www.sslshopper.com/ssl-checker.html#hostname=<subdomain.domain>
Known Issues
When Nginx operates from docker, it has issues accessing symlinks. Since the keys and certs in
/etc/letsencrypt/live/<domaim>/
are symlinks, nginx will fail. To solve this, copy the keys to another location and link it to nginx.Note that this means that every time certbot updates the certs, they have to be manually copied to this location. Hooks can be used to automate this process.