Letsencrypt wildcard - Setup wildcard subdomain using letsencrypt and certbot

To get wildcard supported certificates, we need to pass the challenge which requires adding TXT records in your dns records.

To get certificates for single domains, there is no need to modify dns records. Check this link https://micropyramid.com/blog/configure-ssl-with-letsencrypt-and-nginx/  for more info.

Your distribution may have old version of certbot, so we will try with latest certbot from github repository. This solution is based on https://github.com/certbot/certbot/issues/5719, thanks to talyguryn.

git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto certonly --manual -d *.mydomain.com -d mydomain.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Output:

Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:
 
qasdli_thisissometxtvalueherebrrrrrlaisd
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
 
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.pietrack.com with the following value:
 
aldsfj_onemorevalueheredurrrrrrrrlaisdj
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2018-07-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

As the above suggests, in your dns records add TXT record, with 

name: _acme-challenge.mydomain.com 

and values

1. qasdli_thisissometxtvalueherebrrrrrlaisd

2. aldsfj_onemorevalueheredurrrrrrrrlaisdj

On successfull verifcation you should have certificates in /etc/letsencrypt/live directory.

Troubleshoot:

Error: Failed authorization procedure.

In this case, check that your TXT records are updated, for that you can run:

host -t txt _acme-challenge.mydomain.com

 

Nginx configuration:

Now that we have certificates in /etc/letsecrypt/live, add those certificates in nginx configuration:

  server {
      listen 443 ssl;
      server_name mydomain.com;
      ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  }
    By Posted On
SENIOR DEVELOPER at MICROPYRAMID

Need any Help in your Project?Let's Talk

Latest Comments
Related Articles
ELK Stack for Parsing your Logs- Part 2 Jagadeesh V

In Previous Tutorial we looked into Setting up EL Server which can ingest your Syslog files. In this Post, you will learn about pushing your ...

Continue Reading...
Django Testing Automated with Self Hosted Gitlab CI and Docker Jagadeesh V

It is a bit pricy if you want to host code for collaboration using bitbucket or github on your own VPS or On-Premisis servers. Gitlab ...

Continue Reading...
Web Hooks for Gitlab using PHP and Shell Scripts Jagadeesh V

Web-hooks play vital role if you are in Continuous Integration(CI). Higher Level organizations follow GitLab for CI purposes if they operate on open source solutions ...

Continue Reading...
open source packages

Subscribe To our news letter

Subscribe and Stay Updated about our Webinars, news and articles on Django, Python, Machine Learning, Amazon Web Services, DevOps, Salesforce, ReactJS, AngularJS, React Native.
* We don't provide your email contact details to any third parties