Wildcard Certificates with Let’s Encrypt and NGINX
Let’s Encrypt released the ability to generate wildcard certificates since we wrote the introduction to Let’s Encrypt with NGINX. This feature is brand new, released on March 13, 2018, so can we use it?
Note: this tutorial assumes that NGINX and certbot are already installed on a CentOS 7 server. Follow this post if you haven’t already.
Ensuring Certbot Is Updated
Before we can utilize wildcard certificates, we need to make sure that we have a new enough version of certbot
. We need at least 0.22.0
.
$ certbot --version
certbot 0.22.0
To upgrade an older version of the package that we installed, we can run yum update
.
$ sudo yum update certbot-nginx
How Let’s Encrypt Wildcard Certs Work
There’s a difference in the approach necessary for working with Let’s Encrypt wildcard certificates because they require doing a DNS challenge using a TXT record. We can accomplish this in two ways:
- Using a certbot DNS plugin.
- Using the
--manual
option forcertbot
The various DNS plugins work in roughly the same way, but if the provider you’re using doesn’t have one available, then you’ll need to use the --manual
option. Unfortunately, the --manual
option doesn’t provide a great way for auto-renewing certificates if the DNS provider doesn’t have an API for creating records. If possible, using a DNS plugin is best. For this example, I’m going to be working with a domain that is managed by DNSimple and there is a DNSimple plugin.
We’ll need to have our DNS set up to point to our server already. Here are the DNS records that I’ve created myself:
NAME TYPE DATA
@ A MY_IP_ADDRESS
www CNAME chord.tools
blog CNAME chord.tools
I realize that chord.tools
is a weird domain.
Configuring the DNS Plugin
DNS plugins for certbot are Python packages so they can be installed using pip
, but they can sometimes also be installed using the system package manager (yum
in our case). To see what we have available, let’s do a yum search
:
$ sudo yum search certbot | grep dns
python2-certbot-dns-cloudflare.noarch : Cloudflare DNS Authenticator plugin for
python2-certbot-dns-cloudxns.noarch : CloudXNS DNS Authenticator plugin for
python2-certbot-dns-digitalocean.noarch : DigitalOcean DNS Authenticator plugin
python2-certbot-dns-dnsimple.noarch : DNSimple DNS Authenticator plugin for
python2-certbot-dns-dnsmadeeasy.noarch : DNS Made Easy DNS Authenticator plugin
python2-certbot-dns-google.noarch : Google Cloud DNS Authenticator plugin for
python2-certbot-dns-luadns.noarch : LuaDNS Authenticator plugin for Certbot
python2-certbot-dns-nsone.noarch : NS1 DNS Authenticator plugin for Certbot
python2-certbot-dns-rfc2136.noarch : RFC 2136 DNS Authenticator plugin for
python2-certbot-dns-route53.noarch : Route53 DNS Authenticator plugin for
For my situation, I’m going to install the python2-certbot-dns-dnsimple
package.
$ sudo yum install -y python2-certbot-dns-dnsimple
The last thing that we need before moving forward is a credentials file. How this file is generated depends on the DNS plugin being used. For DNSimple, we need to generate an API token and place it in an INI file that looks something like this (the location of this file doesn’t matter):
/var/.secrets/dnsimple-credentials.ini
dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
Creating Virtual Host Configuration
We’re going to point all of these subdomains at a single NGINX server
. Let’s create the configuration now (substitute chord.tools
with your domain):
/etc/nginx/conf.d/chord.tools.conf
server {
listen 80;
server_name .chord.tools;
root /usr/share/nginx/html;
}
The special syntax of .chord.tools
matches chord.tools
and *.chord.tools
. Now we’re ready to generate our first Let’s Encrypt wildcard SSL certificate. Our root
points to the default NGINX HTML files just so that there is something to display.
Generating the Certificate
The general shape for our command to generate our certificates will match this:
$ sudo certbot
-a dns-[DNS_PROVIDER]
--dns-[DNS_PROVIDER]-credentials /path/to/credentials
--dns-[DNS_PROVIDER]-propagation-seconds 60
-i nginx
-d "*.example.com"
--server https://acme-v02.api.letsencrypt.org/directory
We’re being specific about the server that we use for this request because it must be the ACME V2 server to handle wildcard certificates. With the credential file path that we’re working with and “dnsimple” substituted in, this is my final command:
$ sudo certbot
-a dns-dnsimple
--dns-dnsimple-credentials /var/.secrets/dnsimple-credentials.ini
--dns-dnsimple-propagation-seconds 60
-i nginx
-d "*.chord.tools"
--server https://acme-v02.api.letsencrypt.org/directory
This process might send you through some prompts if it’s your first time using certbot on that server. If so, you’ll want to answer them accordingly. Eventually, if the DNS challenge succeeds, we will be prompted about what NGINX configuration file to change and whether to redirect traffic to HTTPS. We should select the proper configuration file and select that we do want to redirect all traffic to HTTPS.
After this process is finished, we should be able to visit our domain and our subdomains to see that they are using a valid wildcard SSL certificate.
Recap
Let’s Encrypt supporting wildcard certificates is awesome and makes it even easier for us to secure multiple domains and subdomains. If you have the option to use a DNS Plugin, I encourage you to do so because it makes managing certificates with Let’s Encrypt incredibly simple.
hbspt.cta.load(3900131, ‘e30a6bf3-2ac0-490c-80c3-d59598799683’, {});
The post Wildcard Certificates with Let’s Encrypt and NGINX appeared first on Linux Academy Blog.