Getting wildcard certificates with Certbot


#1

If you want to obtain a wildcard certificate using Let’s Encrypt’s new ACMEv2
server, you’ll also need to use one of Certbot’s DNS plugins. Your Certbot version must be at least 0.22.0.

If you’re on CentOS/RHEL 7, Arch Linux, or Fedora 26+, you can install the appropriate Certbot DNS plugin for your DNS provider, as described below. Particular instructions for each provider can be found at certbot.eff.org. If you’re not on one of these distros and want a wildcard certificate ASAP, you have two options: install packages using Docker or use Certbot’s manual plugin.

Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates or configure your webserver, because Certbot’s installer plugins cannot reach your webserver from inside the Docker container.

Alternatively, the manual plugin can be used outside of a Docker image, and therefore interact with webservers to install the certificates, but it cannot be used to automatically renew the certificates.

Either way, for now you’ll need to add the --server flag to specify the new endpoint:

--server https://acme-v02.api.letsencrypt.org/directory

Note: 0.22.0 users should not attempt to use --dry-run or --staging, as these flags tell Certbot to use the ACMEv1 staging endpoint. This was fixed for 0.22.1+.

Option 1: Run Certbot in Docker

We recommend reading the full instructions, available here: https://certbot.eff.org/docs/install.html#running-with-docker

In short, there are Docker images for each of Certbot’s DNS plugins available at https://hub.docker.com/u/certbot which automate doing domain validation over DNS for popular providers.

Information about specific DNS plugins can be found here: https://certbot.eff.org/docs/using.html#dns-plugins

Option 2: Use the manual plugin

You can install the manual plugin using certbot-auto:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

certbot-auto accepts the same flags as certbot; it installs all of its own dependencies and updates the client code automatically.

Then, the command to use the manual plugin will look something like this:

./certbot-auto certonly --manual -d *.example.com -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Make certain that certbot-auto isn’t being run with --no-self-upgrade, so that the latest version is fetched.


How to get Certbot 0.22 on Apache Ubuntu 17.04
Guidance on using Letsencrypt wildcard made live few days back with subdomain
I added three wild card sub domain to same server IP and try to add the SSL. It worked for few hours but after that it again stopped and giving a connection error. So please help me
I added three wild card sub domain to same server IP and try to add the SSL. It worked for few hours but after that it again stopped and giving a connection error. So please help me
I added three wild card sub domain to same server IP and try to add the SSL. It worked for few hours but after that it again stopped and giving a connection error. So please help me
#2

Could be I’m blind, but I’m not seeing any description on how to install the DNS plugins with the mentioned distributions.

Also, with Gentoo it’s also childs play to install a DNS plugin for certbot. Only the ebuild(s) aren’t available publically. I’ve made one for the RFC2136 plugin, but can’t upload the ebuild at this moment.


I added three wild card sub domain to same server IP and try to add the SSL. It worked for few hours but after that it again stopped and giving a connection error. So please help me
#3

Maybe it is interesting to note that you need two TXT DNS records with the same name but different content as noted in: In manual authenticator, explain that earlier challenges shouldn’t be replaced by later ones #5729 and Fix requesting a certificate for a wildcard and the base domain in our lexicon plugins #5673, one for *.example.com and the other for example.com.

Also, you must assure that the key is deployed before continue, for instance with (if you are on GNU/Linux):

host -t txt _acme-challenge.example.com

After the first challenge you must have one result, and after the second challenge you must have two results.


#4

You can also create 256 bits ECC wildcard certificates next to the default 2048 bits RSA.

I have been using it on Ubuntu for a while now. ECC intermediate or root is not supported atm. You need to create a private key and a certificate signing request which covers both wildcard/www and non-www

openssl ecparam -genkey -name prime256v1 > privkey1.pem
openssl req -new -sha256 -key privkey1.pem -subj "/CN=*.domain.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.domain.com,DNS:domain.com")) -outform der -out csr1.der

/location/to/certbot-auto certonly --manual --csr csr1.der --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

https://www.namecheap.com/support/knowledgebase/article.aspx/9503/38/what-is-an-ecc-elliptic-curve-cryptography-certificate


DNS problem: NXDOMAIN looking up TXT for
#5

I had the same thought. Regardless, the actual instructions to install the DNS plugins are in the install page. https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

Basically, replace certbot in the install command with the DNS plugin you need i.e. certbot-dns-digitalocean for Digitalocean.

That said, this worked better than the instructions listed creating new wildcard certs (Note: this one renews an existing cert called example.org):

sudo certbot certonly --cert-name example.org \
	--dns-digitalocean \
	--dns-digitalocean-credentials ~/digitalocean.ini \
	--server https://acme-v02.api.letsencrypt.org/directory \
	-d "*.example.org" -d example.org

Nginx / digitalocean / wildcard cert
#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.