Wildcard certificacion with my own host and DNSs from domain provider


#1

Hello
I own a HP Proliant micro server, with the GNU/Linux Archlinux operating system, with kernel linux 4.20.7.

I have direct access to the hardware and access through ssh.

I have an Apache HTTP Server 2.4.38 configured. with two virtualhost enabled. I have installed the certbot 0.31.0 and the certbot-apache 0.31.0

I have contracted two domains with the dinahosting.com provider: artabro.org and codigoartabro.org

On my Apache server, the first virtualhost is associated with the artabro.org domain, and the second virtualhot is associated with the subdomain codigo.artabro.org, and with alias codigoartabro.org

I manage the DNS records from the user portal of the dinahosting provider.

Unfortunately I have dynamic IP. I do not know if this influences when it comes to obtaining a certificate.

I am interested in obtaining a wildcard certificate for all subdomains of artabro.org, and for this domain too.

1.- With dynamic IP there would be some problem to obtain a certificate of Let’s Encrypt?
2.- By not directly managing my DNS, but having to do it through dinahosting, can I obtain the wildcard certificate?
3.- What would be the procedure, with the configuration indicated above? I have been looking at the documentation and I get lost in the part of the certbot plugins, I do not know if I should install any more plugins.


#2

Hi @Laegnur

if you want to create a wildcard certificate, you must use dns-01 validation.

So:

dns-01 validation doesn’t need a running webserver, so your ip isn’t relevant.

You can do that manual. But you have to do that every 60 - 85 days with a new value.

Does your dns provider supports an API. If not, you must do that manual, then you don’t need a plugin.


#3

Hi

Thanks for your answer. I will watch the official documentation again, and try to do the manual process.


#4

Manual process will become tiresome (sooner than you think).
Your best bet is to get a DNS API solution and automate that.
OR
If you can manage without a wildcard, authenticate the servers via HTTP-01.
Which can be fully automated with any ACME client (no API required).

Note: One cert can hold up to 100 names.
Even (worst case) with having to add the “WWW” entries for each site, that’s still 50 sites per cert.


#5

Hello again
I think I have it. Well, I have it, I think everything is fine. This is what I did.

Execute the command:

certbot --text --agree-tos --email laegnur@whatever -d artabro.org,*.artabro.org,codigoartabro.org,*codigoartabro.org --manual --preferred-challenges dns --expand --renew-by-default --manual-public-ip-logging-ok certonly

It asked me to create 4 TXT entries in the DNS. Once done, wait half an hour before continuing. The certbot validated the tickets, and generated the keys.

I went to the Mozilla SSL Configuration Generation and created the recommended configuration for my version of Apache and openSSL and combined it with @Archer 's Apache Configuration Example here .

I added these lines to the configuration of my vhosts:

<VirtualHost *:80>
ServerName artabro.org
ServerAlias www.artabro.org
Redirect / https://artabro.org
</VirtualHost>
<VirtualHost _default_:443>
ServerName artabro.org
ServerAlias www.artabro.org
DocumentRoot "......"
<Directory "........">
.....
</Directory>
SSLEngine on
SSLCertificateFile /...../cert.pem
SSLCertificateKeyFile /...../privkey.pem
SSLCertificateChainFile /...../chain.pem
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Frame-Options DENY
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>

And these lines to the general configuration of http-ssl.conf:

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Also enable the modules ssl_module, socache_shmcb_module and headers_module of Apache and include the previous configuration in the general configuration file of Apache.

Restart the server, and SSL is working. To check it I went to the site SSL Server Test
And I get an A+, so I guess everything is correct.

Now I understand that the 4 TXT entries of the DNSs can be removed, but in two months, I should rerun the certbot command, and re-add the entries temporarily, is that it?

@JuergenAuer thanks again to point me on correct direction.
@rg305 my domain provider sells its own certificates, so I do not think they give me much support with this. And I do not think it would be right to go and ask for help. Could you give me some example or explain to me the HTTP-01 authentication method?


#6

If you require wildcard certificates, the HTTP-01 authentication method would not be suitable.

But keep in mind that you can change DNS hosts free of charge at any time - I’ve put up a list of DNS hosts that are confirmed to do support automatic DNS validation and renewal with Let’s Encrypt clients here: DNS providers who easily integrate with Let's Encrypt DNS validation


#7

Yes, you can remove these entries. But they are not critical, so you can ignore them.

Yep, without a DNS api you have to do that manual.

Certbot creates files in /.well-known/acme-challenge, Letsencrypt checks these files. So if you don’t have too much subdomains, it’s possible.

There is a limit of 50 new certificates per week per domain. So if you have only 20 or 30 and only one new subdomain per week, you can use http-01 validation.


#8

Hi!

Many thanks to all for your help.

I think I will stay with the actual config, and in a couple months I will see if I change to the HTTP-01 method.


#9

Be aware that wildcard certs require DNS authentication method.
You can only use HTTP method for the names that don’t have “*”.


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.