In this post we will generate a wildcard SSL certificate. This SSL certificate is for appychip.com domain.
Make Sure locale is set.
export LC_ALL=”en_US.UTF-8″ export LC_CTYPE=”en_US.UTF-8″
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto sudo ./certbot-auto
Obtaining Certificates Using Manual Mode
Manual mode means that you need to complete the DNS challenge by doing a DNS TXT record entry manually to prove that you own the domain. Run the following command to obtain the SSL certificate. Here we are generating for nginx so put “-i nginx”, if you want to use it for apache, replace “nginx“ with apache.
./certbot-auto -i nginx --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.appychip.com -d appychip.com --no-bootstrap
The certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:
Please deploy a DNS TXT record under the name _acme-challenge.webengage.com with the following value: nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
You can deploy this DNS TXT record using your domain control panel (Route53 in this case). Once you have completed the TXT record deployment, you need to verify that it is working using nslookup:
nslookup -type=TXT _acme-challenge.appychip.com Server: 192.XXX.XXX.XXX Address: 192.XXX.XXX.XXX#XX Non-authoritative answer: _acme-challenge.appychip.com text = "nYng6cq_RLTU5eN0XXXXXXXXXXXXanNS8EqGtkVh8"
When you have verified that the TXT record is properly deployed and accessible using nslookup command then proceed to the next challenge. It will ask again to deploy another DNS TXT record, so repeat the same again and move ahead.
If you’ve multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. You can leave this step as you need to carefully modify the nginx config file manually instead of certbot modifying it for you.
When the certificate will be issued and you should see something like:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/appychip.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/appychip.com/privkey.pem Your cert will expire on 2018-12-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The certificates obtained can be seen by the following commands:
cd /etc/letsencrypt/live/appychip.com/ cat fullchain.pem cat privkey.pem
Renewing The Certificates
Since we have created the wildcard certificate using Manual Mode, then we need to repeat the above steps every time we want to renew your wildcard certificate.