How to generate a wildcard cert with Let's Encrypt, if I don't have sudo access on my server?

You need to run certbot once only (if you want one single certificate).
You need to include both names (if you want both the wildcard and the base domain on the same cert).
You need to create one TXT record for each name requested (in this case two names, so two TXT records).

4 Likes

I was just replying too, but @rg305ā€™s explanation is correct! I hope that helps.

3 Likes

One additional point of clarification, in case you are still unclear:
The wildcard cert will NOT cover the base domain itself.
This may sound counterintuitive (in the human world it would be implied - but these are machines).
So you will need to include that base name as a second name on the cert.
If that sounds confusingā€¦think of it this way.
A cert is for an ā€œnameā€.
Much like a person, a ā€œnameā€ is made of of the first name and the last name (the rest of the name).
In the case of the wildcard, the first name is ā€œ*ā€ any/all first names.
And the last name is ā€œyour.domainā€.
But the base domain has a different set of namesā€¦
The base domain in this example would have a first name of ā€œyourā€ and a last name of ā€œdomainā€.
So you see they are essentially different names (from different ā€œparentsā€).
The wild card will cover all the children of that parent only.

And certbot will generate one TXT for each name on the requested cert (in this case two).

3 Likes

@rg305 OK thanks for that clear reply. Here are my follow ups.

You need to run certbot once only (if you want one single certificate).

OK got it. I do indeed want one single, wildcard certificate.

You need to include both names (if you want both the wildcard and the base domain on the same cert).

OK understood there.

You need to create one TXT record for each name requested (in this case two names, so two TXT records).

OK I understand I'll need to create two separate TXT records. Each TXT record has a 'name' and a 'value,' correct? If so, I'm unclear on the 'name' and 'value' I should specify for each.

When I run certbot certonly --manual and specify both domain names, certbot eventually gives this output:

Please deploy a DNS TXT record under the name
_acme-challenge.everlooksolutions.com with the following value:

evyH2pp242Vbt99H8Kagtr07I09iZpqZZxerM6vFtsw

Before continuing, verify the record is deployed.

So that seems to instruct me to create one single TXT record, right? If so, what is the name (and value) of the second TXT record I need to create? OR, must I first successfully create this TXT record, then continue inside certbot, and at THAT POINT certbot will tell me the name/value for the second TXT record to create?

@schoen Thanks for your help and patience too :slight_smile:

1 Like

Yes, at that point it seems to only need one entry created.
That may be due to a previously/recently cached authorization (for the second name).
[but you really just need to follow the prompted instructions]

It seems that the second value is not required (at this time).

2 Likes

This is correct in general. The --manual mode prompts you to confirm the creation of each action before telling you the next action to take.

@rg305 is also right that if you have very recently successfully created a different but overlapping certificate, there's a possibility that you would be prompted to take fewer actions overall to confirm your control of the domain names, because Let's Encrypt would remember on the server side that your Let's Encrypt account was confirmed to be authorized to issue certificates for particular names.

So you might temporarily get only one prompt instead of two based on other recent certificate issuance that you've done. But in the general case, you would get two, but Certbot would wait in between telling you what they are to have you confirm that you've done both.

I guess this behavior is kind of annoying, but not that much work has gone into certbot --manual because it's not the recommended way to use Certbot or Let's Encrypt. That's because certificates obtained this way can only be renewed manually, not automatically, which isn't consistent with Let's Encrypt's recommendations. (For wildcard certificates, the recommended method is to use an API that lets Certbot or another client make DNS changes for itself, rather than telling you, the human user, what those changes should be.)

4 Likes

This is merely an add-on comment in case anyone reading this thread may run into an issue when manually setting TXT records through GoDaddyā€™s DNS management page. When setting the _acme-challenge in general, do NOT enter the full domain name in the box for the host. Entering the domain name will result in repetition since GODADDY AUTOMATICALLY APPENDS THE DOMAIN NAME TO WHAT YOU ENTER IN THE BOX FOR THE HOST. So for ā€œwww.example.comā€, you would enter ā€œ_acme-challenge.wwwā€, NOT ā€œ_acme-challenge.www.example.comā€. Additionally (and more importantly for this thread), for ā€œ*.example.comā€ be sure to enter ā€œ_acme-challengeā€, NOT ā€œ_acme-challenge.*ā€. Iā€™ve lost count of the number of times Iā€™ve seen people struggle just because of this issue.

2 Likes

You can probably enter the full domain name if you append a dot at the end. (You shouldnā€™t, keep things relative, not absolute)

You can automate the renewal on your laptop, leaving you only to upload the certificates in the panel: http://pbxhacks.com/automating-lets-encrypt-ssl-certs-via-godaddy-dns-challenge/

You can probably automate the upload as well but not being a goDaddy customer myself I havenā€™t looked hard enough. (edit: it looks like acme.sh - a certbot alternative - has a cpanel deploy hook)

3 Likes

@schoen @rg305 @freessltools.com

OK thanks for all the help :slight_smile: I ran certbot once, specified everlooksolutions.com *.everlooksolutions.com as my domains, and it then asked me to create a TXT record. I did so. Specifically, in the GoDaddy GUI, for the ā€˜Nameā€™ I entered _acme-challenge.everlooksolutions.com and clicked ā€˜Save.ā€™ Back in certbot I pressed any key to continue, and the validation failedā€“as expected given the comment by @freessltools.com.

I then repeated those steps, and this time, for the ā€˜Nameā€™ in GoDaddy I specified _acme-challenge. and clicked ā€˜Save.ā€™ The GoDaddy GUI then stripped the . off the end. Back in certbot I pressed any key to continue, and this time the validation succeeded. Yay. It did not ask me to create a second TXT record.

So now what is my next step? Am I correct that all this step accomplished was to save a ā€˜certificate, chain, and key fileā€™ on my local computer? The certbot output was:

 Congratulations! Your certificate and chain have been saved at:
   C:\Certbot\live\everlooksolutions.com\fullchain.pem
   Your key file has been saved at:
   C:\Certbot\live\everlooksolutions.com\privkey.pem
   Your cert will expire on 2020-10-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

GoDaddy allows me to add a new cert (screenshot), provided I can enter the following:

  • Certificate: (CRT): I guess this is the first certificate in the first file certbot created (the ā€˜certificateā€™ in C:\Certbot\live\everlooksolutions.com\fullchain.pem). Is that right?
  • Private Key (KEY): My guess is that this is in the second file that certbot created (the ā€˜key file,ā€™ in C:\Certbot\live\everlooksolutions.com\privkey.pem)
  • Certificate Authority Bundle: (CABUNDLE): Is this the second certificate in the first file certbot created, i.e. the ā€˜chainā€™ that certbot created (in C:\Certbot\live\everlooksolutions.com\fullchain.pem).

Am I correct on those? Or am I missing something?

2 Likes

In the full chain there should be 2 PEM-formatted certs. The first is yours. The second is the CA bundle. GoDaddy will automatically fill in the CA bundle when you paste your cert into the box so no need to worry about copying that one. :blush: You are correct about the private key.

For all of my own certs, I install them manually too, which is kinda taboo around here. I actually generate my 4096 bit private key first then generate a CSR, all from the SSL cPanel on the GoDaddy website. That way I donā€™t need to mess with certbot at all as my keys, csrs, and certs automatically end up in the right spot. As for generating the cert, I specifically created the Free SSL Certificate page on freessltools.com as an automated, web-based Letā€™s Encrypt acme client to make the manual process super fast for GoDaddy. No scripts or installs required. I then use the SSL check in cPanel to verify and make note of the expiration date. To keep my generated keys, csrs, and certs in line, I put the date in the description box for all 3.

By the way, just for your knowledge, the private key actually contains the public key as well (in a manner of speaking). You can extract it from a terminal using a simple openssl command if you ever needed to. Iā€™m going to be adding several tools to freessltools.com soon, including a full extraction of the data in the public and private keys. Now before anyone goes crazy on me about how you should never submit your private keys, let me say first of all that they will be sent encrypted (obviously) and I donā€™t save them in any capacity. Trust me. :kissing_heart: Of course you should NEVER trust any site or unfamiliar tool with your private keys, but for educational and informative purposes Iā€™m still going to allow it, with a warning of course.

2 Likes

I think this is not possible.
I would like to see an example of what you mean.

2 Likes

An RSA public key contains all of the following (in this exact order):
modulus (n)
public exponent (e)

An RSA private key contains all of the following (in this exact order):
modulus (n)
public exponent (e)
private exponent (d)
prime 1 ( p )
prime 2 (q)
exponent 1 (d mod (p-1))
exponent 2 (e mod (q-1))
coefficient ((inverse of q) mod p)

The bit strength of an RSA key is the number of bits of the modulus (n).

Hence you can run the following openssl command on a private key to extract the public key:

openssl rsa -in privatekey.pem -pubout > publickey.pem

1 Like

OK I see what you mean now.
Not sure how that can be useful (to common folk), but it is good to know :slight_smile:

3 Likes

Hopefully it will help spread correct knowledge of crypto and prevent the absurd arguments that Iā€™ve seen in many other forums around the net. :blush:

2 Likes

Just for posterity I wanted to add that once you have successfully installed your cert, you should absolutely delete every _acme-challenge TXT record to prevent future confusion (as well as for hygiene in general).

1 Like

Iā€™ve found it useful before when making up puzzles and challenges involving cryptography. :slight_smile:

I guess it could also be useful if users were confused about keys that they had in /etc/letsencrypt/keys (trying to match those up with certificates downloaded from CT)?

3 Likes

The openssl rsa -pubout construct is used for the pwnedkeys.com key compromise check in my ACME client code:
https://github.com/bruncsak/ght-acme.sh
This openssl construct is useful in practice.

5 Likes

@freessltools.com @rg305 @schoen

Thanks so much for your help so far. So sorry for my delay--things keep coming up on my end. But I'm learning a lot here. I'm trying to add my cert and my private key to the GoDaddy GUI. But I've run into a new issue. Those files saved on my computer are now 0 KB in file size (screenshot). Is that expected?

If I try to run certbot again from the command line, it warns:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: C:\Certbot\renewal\everlooksolutions.com.conf)

What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (may be subject to CA rate limits)

I'm happy to renew and replace, but will I run into any 'CA rate limits?'

Thatā€™s odd. Almost seems like they didnā€™t get downloaded. I know it sounds silly, but did you try hitting the refresh button in file manager to see if the size info is current?

The warning is exactly as expected to keep you from getting a new cert unnecessarily. You definitely wonā€™t run into any rate limits anytime soon.

The symlinks in ā€œliveā€ presumably show in Windows as having no size because they point to files elsewhere. But those files will have a sizeā€”and probably only be accessible by an administrator.

I donā€™t know much about Windows or Windows permissions, but do you have a way that you could try accessing these as an administrator? You might find that the files do exist and have content.

1 Like