This brief tutorial shows students and new users how to generate free wildcard SSL/TLS certificates using Let’s Encrypt (Certbot) on Ubuntu 20.04 | 18.04 LTS.
When you want to run your website over HTTPS, you’ll have to install SSL certificates. You can either pay for certificates from a certificate authority or get free ones from Let’s Encrypt.
Let’s Encrypt is a certificate authority (CA) that provides free SSL/TLS certificates using a fully automated process that eliminates manual certificate creation, validation, installation, and renewal.
When generated, you’ll be able to install these certificates on your web servers to serve HTTPS traffic to your users and audience.
So, to get your free wildcard certificates to install on your web server, follow the steps below:
Below you’ll learn how to generate a wildcard SSL certificate for your domain using Certbot.
Install the Let’s Encrypt Certbot Tool
Before generating your free wildcard certificates, you’ll first want to make sure certbot is installed and running. To install it, run the commands below:
sudo apt update sudo apt-get install letsencrypt
The commands above will install the certbot tool and all dependencies that will be allowed to make the tool function.
Generate Let’s Encrypt Wildcard SSL Certificate
Now that the tool is installed, you can now proceed to generate certificates.
Let’s Encrypt provides many ways to challenge you to validate that you own the domain you want to provide SSL certificates for. You will not be able to generate certificates if you can’t prove that you own the domain you want certificates for.
However, for wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.
So, to generate a wildcard cert for domain *.example.com, you run the commands below. You should also include the bare domain with registering.
sudo certbot certonly --manual --preferred-challenges=dns --email admin@example.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d example.com -d *.example.com
The command options above are explained below:
- certonly: Obtain or renew a certificate, but do not install
- –manual: Obtain certificates interactively
- –preferred-challenges=dns: Use dns to authenticate domain ownership
- –server: Specify the endpoint to use to generate
- –agree-tos: Agree to the ACME server’s subscriber terms
- -d: Domain name to provide certificates for
After executing the command above, Let’s Encrypt will provide a text string to add a text record to your DNS entry.
Example:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: y Obtaining a new certificate Performing the following challenges: dns-01 challenge for example.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: x4MrZ6y-JqFJQRmq_lGi9ReRQHPa1aTC9J2O7wDKzq8 Before continuing, verify the record is deployed.
Go to your DNS provider portal and add a text record for the string above and save.
Wait a few mins before continuing from the prompt. Some DNS providers take a while to propagate changes so it may depend on your provider’s platform.
After the changes above and Let’s Encrypt can validate that you own the domain, you should see a successful message as below:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-01-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
That should do it!
The wildcard certificate is now generated and ready to be used.
To verify that the certificate is ready, run the commands below:
sudo certbot certificates
That should display a similar screen as below:
Found the following certs: Certificate Name: example.com Domains: *.example.com Expiry Date: 2020-01-05 07:48:04+00:00 (VALID: 85 days) Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
You’re all set!
Now, Let’s Encrypt’s certificates are valid for 90 days. You’ll want to set up a cron job to automate the renewal process. To do that, open crontab and add the entry below:
sudo crontab -e
Then add the line below and save.
0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log
Save and you’re done!
Conclusion:
This post showed you how to set up Let’s Encrypt SSL wildcard certificates on Ubuntu 20.04 | 18.04. If you find any error above, please use the comment form below to report.
Thanks,
You may also like the post below:
Very nice and clear! Thank you very much for this post!
I followed this tutorial and got a successful cert… however, when going to the url for my website, it does not direct to https nor does it say secured when manually entering it as https.
I am running apache that this is being used on, is that why it’s not working? I figured this was a blanket cert for the website regardless of if it was ran by apache or something else?
Thank you!
I got the certificate installed already. What’s next to be configured? What will be the content of the virtual host file?
Great tutorial!!!
Well done
Thanks a lot for this, it was much easier than I thought. I now also understand cron jobs. Correct me if I am wrong but this one runs every day at 1am. And certbot will not renew if the certificate is not ready to be renewed.
Does the renewal actually work? Running a “sudo certbot renew –dry-run” gives the following error:
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)
Attempting to renew cert () from /etc/letsencrypt/renewal/.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//fullchain.pem (failure)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//fullchain.pem (failure)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1 renew failure(s), 0 parse failure(s)
The most important part is missing, means how to link the certificate to your web server configuration. How about this ?
Do we need to install crontab if status of certbot.timer is active? I’m confuse with other website instruction.
I took a screenshot of your congratulations message. Please forgive me
Almost positive the auto-renew option via the cronjob is not valid (unless there’s a renew-hook script that configures the DNS for the wildcard domains). OR you connect to your DNS’ API plugin (I’ve read some safety concerns around this).
Decided on acme-dns as there are a few threads that recommend it to automate the process. A script to certbot seems like a good option for those technical enough to carry out.
It says right on the official certbot FAQ that a certificate obtained through the –manual option cannot be renewed with the renew command. You are supposed to use a script or some other automation technique for the renewal.