How to Setup Let’s Encrypt Wildcard SSL on Ubuntu Linux

|

|

The tutorial provides a walkthrough on generating free SSL/TLS wildcard certificates using Let’s Encrypt’s fully automated Certbot tool on Ubuntu 20.04 | 18.04 LTS. The SSL certificates help run websites over HTTPS, ensuring secure user traffic. Steps involving server installation, domain validation, certificate generation and automated renewal process are detailed. Authenticating domain ownership through DNS…

This brief tutorial shows students and new users how to generate free wildcard SSL/TLS certificates using Let’s Encrypt (Certbot) on Ubuntu 20.04 | 18.04 LTS.

You must install SSL certificates to run your website over HTTPS. You can pay for certificates from a certificate authority or get free ones from Let’s Encrypt.

Let’s Encrypt is a certificate authority (CA) that provides free SSL/TLS certificates using a fully automated process that eliminates manual certificate creation, validation, installation, and renewal.

When generated, you can install these certificates on your web servers to serve HTTPS traffic to your users and audience.

So, to get your free wildcard certificates to install on your web server, follow the steps below:

Below, you’ll learn how to generate a wildcard SSL certificate for your domain using Certbot.

Install the Let’s Encrypt Certbot Tool

Before generating your free wildcard certificates, you must ensure that certbot is installed and running. To install it, run the commands below:

sudo apt update
sudo apt-get install letsencrypt

The commands above will install the certbot tool and all dependencies allowed to make the tool function.

Generate Let’s Encrypt Wildcard SSL Certificate

Now that the tool is installed, you can generate certificates.

Let’s Encrypt provides many ways to challenge you to validate that you own the domain for which you want to provide SSL certificates. You cannot generate certificates if you can’t prove that you own the domain for which you want certificates.

However,  for wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.

So, to generate a wildcard cert for domain *.example.com, you run the commands below. You should also include the bare domain when registering.

sudo certbot certonly --manual --preferred-challenges=dns --email admin@example.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d example.com -d *.example.com

The command options above are explained below:

  • certonly:                                     Obtain or renew a certificate, but do not install
  • –manual:                                    Obtain certificates interactively
  • –preferred-challenges=dns:      Use DNS to authenticate domain ownership
  • –server:                                      Specify the endpoint to use to generate
  • –agree-tos:                                 Agree to the ACME server’s subscriber terms
  • -d:                                               Domain name to provide certificates for

After executing the command above, Let’s Encrypt will provide a text string to add a text record to your DNS entry.

Example:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

x4MrZ6y-JqFJQRmq_lGi9ReRQHPa1aTC9J2O7wDKzq8

Before continuing, verify the record is deployed.

Go to your DNS provider portal, add a text record for the above string, and save.

Wait a few minutes before continuing from the prompt. Some DNS providers take a while to propagate changes, which may depend on your provider’s platform.

After the changes above and Let’s Encrypt can validate that you own the domain, you should see a successful message as below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-01-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That should do it!

The wildcard certificate is now generated and ready to be used.

To verify that the certificate is ready, run the commands below:

sudo certbot certificates

That should display a similar screen as below:

Found the following certs:
  Certificate Name: example.com
    Domains: *.example.com
    Expiry Date: 2020-01-05 07:48:04+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

You’re all set!

Now, Let’s Encrypt’s certificates are valid for 90 days. You’ll want to find a way to automate renewals or manually renew the certificate until there’s a better way to manage it.

Conclusion:

This post showed you how to set up Let’s Encrypt SSL wildcard certificates on Ubuntu 20.04 | 18.04. If you find any error above, please use the comment form below to report.

Thanks,

You may also like the post below:

Like this:



13 responses to “How to Setup Let’s Encrypt Wildcard SSL on Ubuntu Linux”

  1. Viktor Karpyuk Avatar
    Viktor Karpyuk

    Very nice and clear! Thank you very much for this post!

  2. Trevre Avatar
    Trevre

    I followed this tutorial and got a successful cert… however, when going to the url for my website, it does not direct to https nor does it say secured when manually entering it as https.

    I am running apache that this is being used on, is that why it’s not working? I figured this was a blanket cert for the website regardless of if it was ran by apache or something else?

    Thank you!

  3. Juan Avatar
    Juan

    I got the certificate installed already. What’s next to be configured? What will be the content of the virtual host file?

  4. N Avatar
    N

    Great tutorial!!!
    Well done

  5. Joe Avatar
    Joe

    Thanks a lot for this, it was much easier than I thought. I now also understand cron jobs. Correct me if I am wrong but this one runs every day at 1am. And certbot will not renew if the certificate is not ready to be renewed.

  6. R Avatar
    R

    Does the renewal actually work? Running a “sudo certbot renew –dry-run” gives the following error:

    Cert not due for renewal, but simulating renewal for dry run
    Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)
    Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
    All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live/example.com/fullchain.pem (failure)

    1. Big Boy Avatar
      Big Boy

      Just for future reference, from what I understand this happens when the –manual flag is used when generating the certificate. I know this tutorial says “renew” works at the end, but it doesn’t if you use the -manual flag to create the certificate.

  7. Gino Avatar
    Gino

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Processing /etc/letsencrypt/renewal/.conf
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Cert is due for renewal, auto-renewing…
    Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)
    Attempting to renew cert () from /etc/letsencrypt/renewal/.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
    All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live//fullchain.pem (failure)

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

    All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live//fullchain.pem (failure)
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    1 renew failure(s), 0 parse failure(s)

  8. Till Avatar
    Till

    The most important part is missing, means how to link the certificate to your web server configuration. How about this ?

  9. Chaiyot Avatar
    Chaiyot

    Do we need to install crontab if status of certbot.timer is active? I’m confuse with other website instruction.

  10. Benjamin Akrong Avatar
    Benjamin Akrong

    I took a screenshot of your congratulations message. Please forgive me

  11. phytolove Avatar
    phytolove

    Almost positive the auto-renew option via the cronjob is not valid (unless there’s a renew-hook script that configures the DNS for the wildcard domains). OR you connect to your DNS’ API plugin (I’ve read some safety concerns around this).

    Decided on acme-dns as there are a few threads that recommend it to automate the process. A script to certbot seems like a good option for those technical enough to carry out.

  12. darren Avatar
    darren

    It says right on the official certbot FAQ that a certificate obtained through the –manual option cannot be renewed with the renew command. You are supposed to use a script or some other automation technique for the renewal.

Leave a Reply to Joe Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.