Wildcard certificates can be generated currently (May 2020) only using certbot as acmetool does not officially support it in it's stable release.
Using the certbot docker image, run the following command for the necessary domain:
docker run -it --rm --name letsencrypt -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly -d "*.<domain>" --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
The command uses the following options
- certonly ; Only generate the certs and don't modify existing nginx config.
- --manual ; manually verify the domain.
- --preferred-challenges dns; use a TXT record to verify domain ownership.
- acme-v02.api ; This API provides wildcard certs.
The interactive script will ask for certain details such as email-ids.
The script will prompt the user to add a TXT record with your DNS provider with the provided name. Login to transip.nl and add the record to the domain.
Note: Certbot has dns plugins for most major DNS providers (except transip) and using the plugin is the preferred way if it exists.
The record takes about 5 mins to be published.
Once published, press enter and if everything was successful, your certs will be placed in /etc/letsencrypt/live/<domaim>/
The cert (fullchain.pem) and the private key (privkey.pem) need to be linked to the location in nginx. A sample config is provided below:
When Nginx operates from docker, it has issues accessing symlinks. Since the keys and certs in /etc/letsencrypt/live/<domaim>/ are symlinks, nginx will fail. To solve this, copy the keys to another location and link it to nginx.