How to Generate free Wildcard Certificates using Let’s Encrypt (Certbot) on Ubuntu Linux

|

|

This tutorial guides on generating free wildcard SSL/TLS certificates using Let’s Encrypt (Certbot) on Ubuntu. The process involves installing the Certbot tool, proving domain ownership through the DNS challenge method, manually running commands, verifying the certificate, and setting up a cron job to automate renewal. The certificates, valid for 90 days, boost the security of…

This brief tutorial shows students and new users how to generate free wildcard SSL/TLS certificates using Let’s Encrypt (Certbot) on Ubuntu 16.04 | 18.04 LTS.

Let’s Encrypt is a certificate authority (CA) that provides free SSL/TLS certificates using a fully automated process that eliminates manual certificate creation, validation, installation, and renewal.

When generated, you can install these certificates on your web servers to serve HTTPS traffic to your users and audience.

So, to get your free wildcard certificates to install on your web server, follow the steps below:

Below, you’ll learn how to generate a wildcard SSL certificate for your domain using Certbot.

Install the Let’s Encrypt Certbot Tool

Before generating your free wildcard certificates, you must ensure that certbot is installed and running. To install it, run the commands below:

sudo apt update
sudo apt-get install letsencrypt

The commands above will install the certbot tool and all dependencies allowed to make the tool function.

Generate Let’s Encrypt Wildcard SSL Certificate

Once the tool is installed, you can proceed to generate certificates.

Let’s Encrypt provides many ways to challenge you to validate that you own the domain for which you want to provide SSL certificates. You cannot generate certificates if you can’t prove that you own the domain for which you want certificates.

However,  for wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.

So, to generate a wildcard cert for domain *.example.com, you run the commands below. You should also include the bare domain when registering.

sudo certbot certonly --manual --preferred-challenges=dns --email admin@example.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d example.com -d *.example.com

The command options above are explained below:

  • certonly:                                     Obtain or renew a certificate, but do not install
  • –manual:                                    Obtain certificates interactively
  • –preferred-challenges=dns:      Use dns to authenticate domain ownership
  • –server:                                      Specify the endpoint to use to generate
  • –agree-tos:                                 Agree to the ACME server’s subscriber terms
  • -d:                                               Domain name to provide certificates for

After executing the command above, Let’s Encrypt will provide a text string to add a text record to your DNS entry.

Example:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

x4MrZ6y-JqFJQRmq_lGi9ReRQHPa1aTC9J2O7wDKzq8

Before continuing, verify the record is deployed.

Go to your DNS provider portal, add a text record for the string above, and save.

Wait a few minutes before continuing from the prompt. Some DNS providers take a while to propagate changes, which may depend on your provider’s platform.

After the changes above and Let’s Encrypt can validate that you own the domain, you should see a successful message as below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-01-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

That should do it!

The wildcard certificate is now generated and ready to be used.

To verify that the certificate is ready, run the commands below:

sudo certbot certificates

That should display a similar screen as below:

Found the following certs:
  Certificate Name: example.com
    Domains: *.example.com
    Expiry Date: 2020-01-05 07:48:04+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

You’re all set!

Now, Let’s Encrypt’s certificates are valid for 90 days. You’ll want to set up a cron job to automate the renewal process. To do that, open crontab and add the entry below:

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

Save, and you’re done!

Congratulations! You have successfully learned how to generate Let’s Encrypt wildcard certificates.

You may also like the post below:

Like this:



5 responses to “How to Generate free Wildcard Certificates using Let’s Encrypt (Certbot) on Ubuntu Linux”

  1. Cesar Avatar
    Cesar

    Very nice. Thank you!

  2. Vinil Avatar
    Vinil

    How do I run the verification again if it failed? I don’t want to start the process from the step 1 again, every time it fails.

    1. Young Altair Avatar
      Young Altair

      Please wait for 15 minutes to 60 minutes. Me here average 20 minutes to get near 100% worldwide DNS propagation.

  3. Kuladip Chaudhari Avatar
    Kuladip Chaudhari

    Hi,
    Followed the above steps,
    Even modified the SSLCertificateFile and SSLCertificateKeyFile to point newly generated .pem files.
    But it gives me “ERR_SSL_PROTOCOL_ERROR” when tried to visit site using https://.

    There is no entry in error log

    But having following entries in access log
    “\x16\x03\x01\x01A\x01” 400 0 “-” “-”
    “\x16\x03\x01” 400 0 “-” “-”
    “\x16\x03\x01” 400 0 “-” “-”
    “\x16\x03\x01” 400 0 “-” “-”

    Thanks

  4. Nikhil Avatar
    Nikhil

    Great Its works ..thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.