Learn Generate free Wildcard Certificates using Let’s Encrypt (Certbot) on Ubuntu 18.04

This brief tutorial shows students and new users how to generate free wildcard SSL/TLS certificates using Let’s Encrypt (Certbot) on Ubuntu 16.04 | 18.04 LTS…

Let’s Encrypt is a certificate authority (CA) that provides free SSL/TLS certificates using fully automated process that eliminates manual certificate creation, validation, installation and renewal…

When generated, you’ll be able to install these certificates on your web servers to serve HTTPS traffic to your users and audience…

Student or new user looking for a Linux system to start learning on, the easiest place to start is Ubuntu Linux OS…. It’s a great Linux operating system for beginners..

So, to get your free wildcard certificates to install on your web server, follow the steps below:

Below you’ll learn how to generate a wildcard SSL certificate for your domain using Certbot…

Step 1: Install Let’s Encrypt Certbot Tool

Before generating your free wildcard certificates, you’ll first want to make sure certbot is installed and running… To install it, run the commands below:

sudo apt update  sudo apt-get install letsencrypt

The commands above will install certbot tool and all dependencies that will be allowed to make the tool function..

Step 2: Generate Let’s Encrypt Wildcard SSL Certificate

Now that the tool is installed, you can now proceed to generating certificates…

Let’s Encrypt provides many ways to challenge you to validate that you own the domain you want to provide SSL certificates for… You will not be able to generate certificates if you can’t prove that you own the domain you want certificates for….

However,  for wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag…

So, to generate a wildcard cert for domain *.example.com, you run the commands below:

sudo certbot certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com

The command options above are explained below:

  • certonly:                                     Obtain or renew a certificate, but do not install
  • –manual:                                    Obtain certificates interactively
  • –preferred-challenges=dns:      Use dns to authenticate domain ownership
  • –server:                                      Specify the endpoint to use to generate
  • –agree-tos:                                 Agree to the ACME server’s subscriber terms
  • -d:                                               Domain name to provide certificates for

After executing the command above, Let’s Encrypt will provide a text string to add a text record to your DNS entry…

Example:

Saving debug log to /var/log/letsencrypt/letsencrypt.log  Plugins selected: Authenticator manual, Installer None    -------------------------------------------------------------------------------  Would you be willing to share your email address with the Electronic Frontier  Foundation, a founding partner of the Let's Encrypt project and the non-profit  organization that develops Certbot? We'd like to send you email about EFF and  our work to encrypt the web, protect its users and defend digital rights.  -------------------------------------------------------------------------------  (Y)es/(N)o: y  Obtaining a new certificate  Performing the following challenges:  dns-01 challenge for example.com    -------------------------------------------------------------------------------  NOTE: The IP of this machine will be publicly logged as having requested this  certificate. If you're running certbot in manual mode on a machine that is not  your server, please ensure you're okay with that.    Are you OK with your IP being logged?  -------------------------------------------------------------------------------  (Y)es/(N)o: y    -------------------------------------------------------------------------------  Please deploy a DNS TXT record under the name  _acme-challenge.example.com with the following value:    x4MrZ6y-JqFJQRmq_lGi9ReRQHPa1aTC9J2O7wDKzq8    Before continuing, verify the record is deployed.

Go to your DNS provider portal and add a text record for the string above and save…

Let's Encrypt DNS

Wait a few mins before continuing from the prompt… Some DNS providers take a wile to propagate changes so it may depend on your provider’s platform…

After the changes above and Let’s encrypt is able to validate that you own the domain, you should see a successful message as below:

IMPORTANT NOTES:   - Congratulations! Your certificate and chain have been saved at:     /etc/letsencrypt/live/example.com/fullchain.pem     Your key file has been saved at:     /etc/letsencrypt/live/example.com/privkey.pem     Your cert will expire on 2020-01-09. To obtain a new or tweaked     version of this certificate in the future, simply run certbot     again. To non-interactively renew *all* of your certificates, run     "certbot renew"   - Your account credentials have been saved in your Certbot     configuration directory at /etc/letsencrypt. You should make a     secure backup of this folder now. This configuration directory will     also contain certificates and private keys obtained by Certbot so     making regular backups of this folder is ideal.   - If you like Certbot, please consider supporting our work by:       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate     Donating to EFF:                    https://eff.org/donate-le  

That should do it!

The wildcard certificate is now generated and ready to be used…

To verify that the certificate is ready, run the commands below:

sudo certbot certificates

That should display similar screen as below:

Found the following certs:    Certificate Name: example.com      Domains: *.example.com      Expiry Date: 2020-01-05 07:48:04+00:00 (VALID: 85 days)      Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem      Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem  

You’re all set!

Now, Let’s Encrypt’s certificates are valid for 90 days… You’ll want to setup a crob job to automate the renewal process… To do that, open crontab and add the entry below:

sudo crontab -e

Then add the line below and save…

0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

Save and you’re done!

Congratulations! You have successfully learned how to generate Let’s Encrypt wildcard certificates…

You may also like the post below:

How to Restart | Reboot Ubuntu 18.04 from Command Line with Examples

Leave a Reply