Request and Setup A Wildcard SSL Certificate

Request and Setup A Wildcard SSL Certificate

HowTo Request and Setup a Wildcard SSL Certificate

This document will explain how to add a wildcard SSL certificate to a server to enable SSL communication. We will use Letsencrypt and specifically Dehydrated to create the certificate. The setup process will also require acccess to a DNS server.

Table of Content

  • DNS Update
  • Requesting SSL Certificate

DNS Update

Setting/Updating DNS depends on the respective hosting domain/provider and is thus not covered in detail in this tutorial.

Creating CNAME Record

Request Wildcard SSL Certificate - Creating CNAME in DNS

In order to get a SSL certificate we first need a domain to point to the server we want to provide the SSL certificate for. For our example we will create use the domain *.slaptext.erp5.net (replace by your wildcard domain) which points to our sample server 167.114.246.26 (replace by your IP). DNS Updates have to be made with your respective domain/hosting provider. In our case, we need to add the following CNAME to our (own!) DNS settings:


*.slaptest.erp5.net CNAME IN 167.114.246.26

DNS changes usually take up to 48h to propagate. You can check whether your DNS update is working by opening a terminal verifying you can ping your domain:


chronos@localhost ~/Downloads $ ping a.slaptest.erp5.net
PING a.slaptest.erp5.net (167.114.246.26) 56(84) bytes of data.
64 bytes from ip-167-114-246.eu (167.114.246.26): icmp_seq=1 ttl=52 time=21.1 ms
64 bytes from ip-167-114-246.eu (167.114.246.26): icmp_seq=2 ttl=52 time=17.1 ms
64 bytes from ip-167-114-246.eu (167.114.246.26): icmp_seq=3 ttl=52 time=17.2 ms
^C
--- a.slaptest.erp5.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 17.103/18.528/21.186/1.881 ms

Requesting SSL Certificate

Request SSL Certificate

Letsencrypt will be used for creating a wildcard SSL certificate (quick info how Letsencrypt works). There are different clients available and both Certbot and Dehydrated support wildcard SSL certificate issuance at the time of writing. The following steps will be done using Certbot and following the steps described in this blog post.

Install Certbot

Request SSL Certificate - Certbot

To begin, SSH into your server (how to setup SSH access) and install Certbot:


ssh debian@167.114.246.26
Enter passphrase for key '/home/chronos/user/.ssh/id_rsa': 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
debian@svenslapostest2:/$ sudo su
root@svenslapostest2:/#  wget https://dl.eff.org/certbot-auto
(...)
root@svenslapostest2:/# chmod a+x ./certbot-auto
root@svenslapostest2:/# sudo ./certbot-auto

Certbot will probably report an error at the end that it was not able to find the executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin and that it doesn't know how to automatically configure the web server on this system. As we will be using just the certonly command in the next step, it is ok to continue.

Run Certbot

Request SSL Certificate - Run Certbot

Once installation has finished, try running certbot using:

sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.slaptest.erp5.net

Note, that this command uses the https://acme-v02.api.letsencrypt.org/directory production API endpoint. If you want to experiment and to not run into the Letsencrypt production quotas while testing certificate generation you could also use one of the staging access points described here.

Also note, there are two types of challenges for verifying that you have access to a domain - http-01 which will require setting up a webserver and providing a challange file for every domain and dns-01 which is used above where a file has to be set directly on the DNS server. For more information on how letsencrypt and dehydrated use hooks for DNS challenges, you can have a look at letsencrypt domain verification.

DNS TXT Challenge Record

Request SSL Certificate - DNS Challenge Record

During the certificate generation you will eventually be presented with the following message:


-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.slaptest.erp5.net with the following value:
 
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

Head over to your DNS server and add the record in the zone file used by your domain (erp5.net in our case):

_acme-challenge.slaptest 10800 IN TXT "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"

Verify DNS Challenge

Request SSL Certificate - DNS Challenge Verification

DNS changes need up to 48h to propagate. You can check whether you can request the token by installing dnsutils and calling nslookup:

root@svenslapostest2:/# sudo apt-get install dnsutils
(...)
root@svenslapostest2:/# nslookup -type=TXT _acme-challenge.slaptest.erp5.net
Server:         xxx.xxx.xx.xx
Address:        xxx.xxx.xx.xx#xx

Non-authoritative answer:
*** Can't find _acme-challenge.slaptest.erp5.net: No answer

Once we receive a Non-authoritative answer: with the saved token, we can continue the certificate issuance.

Certificate Issued

Certificiate Issued

Once the process has completed you will receive a message of your certificate being available:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/slaptest.erp5.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/slaptest.erp5.net/privkey.pem
   Your cert will expire on 2018-06-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Check the Certbot documentation for more information on the location of certificate files and SO for info on the different formats.

Thank You

Image Nexedi Office
  • Nexedi GmbH
  • 147 Rue du Ballon
  • 59110 La Madeleine
  • France