Thanks for recommending certbot-auto @eggsampler which got installed & was useful in regenerating my SSL certificate. However since my earlier one expired, I renewed it this time with a wildcard SSL that generated successfully but I faced a whole lot of other issues.
Here's how that went by:
- Installed certbot-auto without a hitch.
- Went about renewing my SSL certificate with a wildcard: *.vinayhegde.info within 5 minutes as well. Check this how-to for it.
- When I deployed it to my web-server and tested it using SSLShopper, it gave a weird error
Unable to communicate securely with peer: requested example name does not match the server's certificate
- Confirmed the issue with a simple curl command to my domain name which persisted post HTTPS redirection too.
- Surprisingly, my domain with a www was showing the new SSL perfectly along with the redirection (on HTTPS with www)
- After a lot of Google searches, it turned out that wildcard SSL just supports *.example.com, i.e: a.example.com or b.example.com but NOT example.com itself. More on that here & here
- Revoked & deleted all of my current certs, check this article on how-to do so.
- Went about regenerating my SSL but now was being rate-limited by LetsEncrypt, read this.
- Waited an hour before retrying which finally succeeded.
TL;DR - Key Points:
- Wildcard SSL works only on *.example.com and NOT our parent domain:example.com, we need SSL with a Subject Alternative Name - SAN for it.
- When doing the above, you need to add a TXT record in your DNS for LetsEncrypt to verify. Note: since you're giving 2 domains as inputs, you'll need 2 TXTs
For e.g:
sudo /opt/packages/certbot-auto certonly --manual -d example.com -d "*.example.com" --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
- Be careful of LetsEncrypt rate-limits, they can throw a spanner in your renewal or creation process if not adhered to.
Hope this helps for anyone who has a similar issue, cheers!