In 2017, I wrote a post on how to set up Let’s Encrypt certificates together with NGINX. Back then, Let’s Encrypt hadn’t added support for wildcard certificates. Althought it’s not a big issue, it does mean you have to generate a new certificate each time you want to add a new subdomain to the certificate. Earlier this year, Let’s Encrypt finally added support for wildcard certificates. Therefore, I recently changed to a wildcard certificate. This blog post documents how I managed to do that.
Preparations
To be able to issue wildcard certificates, the ACME v2 standard was introduced. If you have previously installed certbot (like me), you need to make sure
the version number is equal to or above 0.22.0 in order to support ACME v2. In addition, the only method of challenge supported for obtaining wildcard
certificates is the DNS challenge. This is accomplished by adding a special DNS record to the domain. This means you need to use a DNS provider which provides
API access. Personally, I’m using Cloudflare. A list of supported DNS provider is listed here.
Besides using a supported DNS provider, you also need to install an extra package on your system because these DNS plugins for certbot doesn’t come with the
standard installation. I ran (on CentOS 7) the following commands to achieve these,
$ sudo yum update certbot
$ sudo yum install python2-certbot-dns-cloudflare
Another thing you need to do is to obtain an API key for manipulation of DNS. For Cloudflare, I obtained the key from the website and stored the information in a file with the following format. Remember to set the permission to 600 (only R/W by yourself) to protect your key.
dns_cloudflare_email = <YOUR-EMAIL>
dns_cloudflare_api_key = <YOUR-KEY>
Getting the certificate
With all the preparations you’ve done just now, we are all set to obtain the wildcard certificate. Simply issue the following commands,
$ sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /path/to/key \
--dns-cloudflare-propagation-seconds 10 \
--server https://acme-v02.api.letsencrypt.org/directory \
-d '*.example.com'
Here I’m enabling the Cloudflare DNS plugin with --dns-cloudflare. If you are using another provider, please change the flags accordingly.
Note that you must provide the server address in order to connect to the ACME v2 API. Another thing to note is that *.example.com doesn’t
include example.com. If you are intending to support your root domain as well, make sure you pass an additional -d parameter for the root
domain. If everything goes well, you should be able to pass the DNS challenge and obtain the certificate. Please check my previous post
if you want to use the certificate with NGINX.
Conclusion
In conclusion, I described how you can obtain a wildcard certificate from Let’s Encrypt. As I mentioned, there are a few things that you need to pay attention to in order to successfully obtain the right certificate. I hope you find my post helpful.