Do you already know Let's Encrypt, have your DNS Plugin installed and want a TL;DR? Of course, here you got.
$ history -c && sudo su - && exit # pip3 install certbot-dns-«yourDNSProvider» # certbot --server https://acme-v02.api.letsencrypt.org/directory \ --authenticator dns-«yourDNSProvider» \ --dns-«yourDNSProvider»-options … \ --installer nginx|apache \ -d *.yourdomain.tld # history -c && exit
If you don't already know what I'm talking about, or why am I so excited about this, follow me.
A brief history of Let's Encrypt
Almost two years ago, a promise of having a safer web through the democratisation of HTTPS arrived with the introduction of a brand-new, free, automated-issuing and open Certificate Authority. Its name was Let's Encrypt.
On March 13th 2018, they launched the support for ACMEv2 features which, among others, include signing wildcard domains after verifying them via a DNS verification.
If you'd like to successfully install a wildcard subdomain certificate and setup your environment to
The following steps apply to any webserver and almost any DNS Provider —although if your DNS isn't any of the supported providers/mechanisms here listed here, I strongly recommend you to change your provider or server configuration—. However, for the sake of the example —and because that's the DNS Provider and Webserver I use, prefer and recommend— this guide was written using Ubuntu Server as the distro, Cloudflare as the DNS and nginx as the webserver.
- Install/Update to the latest version of Certbot.
- Install your DNS provider plugin.
- Get the certificate.
1. Install/Update to the latest version of Certbot
This is the most crucial step, since you need
certbot installed in order of running it —don't you? Maybe you are a wizard—, and it's already well explaied in the certbot's webpage.
First, establish a connection to your server via
ssh and login as
root, you know, in order to avoid further
sudo writing —believe that's a bad practice? Tell me in the comments below—.
$ ssh email@example.com $ history -c && sudo su -
Then, follow the instructions given by certbot's webpage. These are mine.
# apt-get update # apt -y install software-properties-common # add-apt-repository ppa:certbot/certbot # apt-get update # apt -y install python-certbot-nginx
However, if you already had installed
certbot, you'll need to update to latest version in order to fully support the ACMEv2 challenges (and fix some bugs that happened in previous versions).
# apt-get update && apt -y dist-upgrade && apt -y autoremove
2. Install your DNS provider plugin
Now you've installed
certbot, you gotta make sure you're installing a DNS authentication plugin. The complete list of plugins is here.
(Optional) Install pip.
If you've never installed a version of pip (a python package manager) in your server for any reason, you'll probably need to do it, right now. And it's actually a quite simple step.
# apt -y install python3-pip
Install the plugin
Now, here's the shortest step.
# pip3 install certbot-dns-cloudflare
3. Get the certificate
For this step, I'll assume you've previously configured your webserver at least once, and it's pointing to your DNS provider. Haven't you? Here's a quick guide of how to configure an nginx webserver in Ubuntu Server 16.04 —yup, those tutorials never get old—.
Gather the DNS provider credentials
Write a file in your user location that goes by the name of
~/.secrets/cloudflare/credentials.ini and contains the credentials asked by by the plugin.
# Cloudflare API credentials used by Certbot dns_cloudflare_email = firstname.lastname@example.org dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
Ask Let's Encrypt for the certificate
Now, the time we were waiting for so long.
# certbot --server https://acme-v02.api.letsencrypt.org/directory \ --authenticator dns-cloudflare \ --dns-cloudflare-credentials ~/.secrets/cloudflare/credentials.ini \ --installer nginx|apache \ -d *.yourdomain.tld # history -c && exit
Each plugin will ask for different options, and it's up to you to find them out. They're pretty simple.
Now, you'll be conducted into a wizard that'll ask you your email (for domain identification and further contact), and some data usage agreements. These guys are cool and don't want to do any harm, more than making the web safer; however, be careful and read everything.
Then, there are two or three instructions, asking you about which domains apply to your certificate request, whether you want to redirect HTTP to HTTPS and which "virtual boxes" apply to your domain configuration.
You'll end up with your website having your SSL certificated installed.