Wildcard Certificates

Wildcard certificates can be generated currently (May 2020) only using certbot as acmetool does not officially support it in it's stable release.

Procedure

  • Using the certbot docker image, run the following command for the necessary domain:

    1 2 3 4 5 6 7 docker run -it --rm --name letsencrypt -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly -d "*.<domain>" --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory The command uses the following options - certonly ; Only generate the certs and don't modify existing nginx config. - --manual ; manually verify the domain. - --preferred-challenges dns; use a TXT record to verify domain ownership. - acme-v02.api ; This API provides wildcard certs.
  • The interactive script will ask for certain details such as email-ids.

  • The script will prompt the user to add a TXT record with your DNS provider with the provided name. Login to transip.nl and add the record to the domain.

    • Note: Certbot has dns plugins for most major DNS providers (except transip) and using the plugin is the preferred way if it exists.

  • The record takes about 5 mins to be published.

  • Once published, press enter and if everything was successful, your certs will be placed in /etc/letsencrypt/live/<domaim>/

Nginx configuration

  • The cert (fullchain.pem) and the private key (privkey.pem) need to be linked to the location in nginx. A sample config is provided below:

    1 2 3 4 5 6 7 8 9 10 server { listen 443 ssl; server_name *.domain; ssl_certificate <path>/fullchain; ssl_certificate_key <path>/privkey; ... }
  • Make sure to restart nginx and test this using the link below:

    • https://www.sslshopper.com/ssl-checker.html#hostname=<subdomain.domain>

Known Issues

  • When Nginx operates from docker, it has issues accessing symlinks. Since the keys and certs in /etc/letsencrypt/live/<domaim>/ are symlinks, nginx will fail. To solve this, copy the keys to another location and link it to nginx.

    • Issue Link

    • Note that this means that every time certbot updates the certs, they have to be manually copied to this location. Hooks can be used to automate this process.