Hello,
I would like to upgrade to using wildcard subdomains. I already have certbot-auto (0.22) and running Ubuntu 16.04.4 LTS
I currently have letsencrypt certs for domain and subdomains. Eg.:
https://mydomain.com
https://sub1.mydomain.com
https://sub2.mydomain.com
What is the best method to convert from certs using specific subdomains to a wildcard subdomains.
You’ll just need to issue a new certificate covering mydomain.com and *.mydomain.com. This may be slightly different than how you first issued your current certificate, as wildcards require the use of dns-01 authorization, as opposed to http-01.
I’m moving this to ‘help’ instead of ‘issuance tech’ - could you elaborate on your setup and how you initially issued your certificate?
Initially I used this procedure https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
Then I updated to certbot-auto 0.22 and added new domains/subdomain to /etc/apache2/sites-available/mydomain.com-le-ssl.conf then ran this below:
$ sudo ./certbot-auto --expand --apache
So just wondering what to do now that wildcards are supported. Do I need to revoke/delete the subdomain certs and redo with just mydomain and *.mydomain and manually update apache conf files?
And do I need a DNS A and CNAME record for each subdomain still? OR can I add a wildcard in DNS.
Here is my DNS sample what it looks like:
A mydomain.com
CNAME www.mydomain.com
CNAME *.sub1.mydomain.com
A sub1.mydomain.com
CNAME *.sub2.mydomain.com
A sub2.mydomain.com
I finally did this.
Create wildcard and main domain cert
$ sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d mydomain.com -d *.mydomain.com
You will be asked to enter 2 challenges in your DNS as type TXT. Verify each one with following command in a different terminal before continuing.
$ nslookup -type=TXT _acme-challenge.mydomain.com
When done, you will be told where your certs are. Either point your ssl conf files to that folder, or in my case I just renamed the old, mydomain.com and created a symbolic link in that same folder called mydomain.com
$ ln -s /etc/letsencrypt/live/mydomain.com-0001 \
/etc/letsencrypt/live/mydomain.com
Nothing to restart unless you change your apache conf files.