Setting/Updating DNS depends on the respective hosting domain/provider and is thus not covered in detail in this tutorial.
In order to get a SSL certificate we first need a domain to point to the server we want to provide the SSL certificate for. For our example we will create use the domain *.slaptext.erp5.net (replace by your wildcard domain) which points to our sample server 126.96.36.199 (replace by your IP). DNS Updates have to be made with your respective domain/hosting provider. In our case, we need to add the following CNAME to our (own!) DNS settings:
*.slaptest.erp5.net CNAME IN 188.8.131.52
DNS changes usually take up to 48h to propagate. You can check whether your DNS update is working by opening a terminal verifying you can ping your domain:
chronos@localhost ~/Downloads $ ping a.slaptest.erp5.net PING a.slaptest.erp5.net (184.108.40.206) 56(84) bytes of data. 64 bytes from ip-167-114-246.eu (220.127.116.11): icmp_seq=1 ttl=52 time=21.1 ms 64 bytes from ip-167-114-246.eu (18.104.22.168): icmp_seq=2 ttl=52 time=17.1 ms 64 bytes from ip-167-114-246.eu (22.214.171.124): icmp_seq=3 ttl=52 time=17.2 ms ^C --- a.slaptest.erp5.net ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 17.103/18.528/21.186/1.881 ms
Letsencrypt will be used for creating a wildcard SSL certificate (quick info how Letsencrypt works). There are different clients available and both Certbot and Dehydrated support wildcard SSL certificate issuance at the time of writing. The following steps will be done using Certbot and following the steps described in this blog post.
To begin, SSH into your server (how to setup SSH access) and install Certbot:
ssh firstname.lastname@example.org Enter passphrase for key '/home/chronos/user/.ssh/id_rsa': The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. debian@svenslapostest2:/$ sudo su root@svenslapostest2:/# wget https://dl.eff.org/certbot-auto (...) root@svenslapostest2:/# chmod a+x ./certbot-auto root@svenslapostest2:/# sudo ./certbot-auto
Certbot will probably report an error at the end that it was not able to find the executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin and that it doesn't know how to automatically configure the web server on this system. As we will be using just the certonly command in the next step, it is ok to continue.
Once installation has finished, try running certbot using:
sudo ./certbot-auto certonly \ --server https://acme-v02.api.letsencrypt.org/directory \ --manual --preferred-challenges dns \ -d *.slaptest.erp5.net
Note, that this command uses the
production API endpoint. If you want to experiment and to not run into the
Letsencrypt production quotas while testing certificate generation you could also
use one of the staging access points described here.
Also note, there are two types of challenges for verifying that you have access to a domain - http-01 which will require setting up a webserver and providing a challange file for every domain and dns-01 which is used above where a file has to be set directly on the DNS server. For more information on how letsencrypt and dehydrated use hooks for DNS challenges, you can have a look at letsencrypt domain verification.
During the certificate generation you will eventually be presented with the following message:
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.slaptest.erp5.net with the following value: 5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
Head over to your DNS server and add the record in the zone file used by your domain (erp5.net in our case):
_acme-challenge.slaptest 10800 IN TXT "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"
DNS changes need up to 48h to propagate. You can check whether you can request the token by installing dnsutils and calling nslookup:
root@svenslapostest2:/# sudo apt-get install dnsutils (...) root@svenslapostest2:/# nslookup -type=TXT _acme-challenge.slaptest.erp5.net Server: xxx.xxx.xx.xx Address: xxx.xxx.xx.xx#xx Non-authoritative answer: *** Can't find _acme-challenge.slaptest.erp5.net: No answer
Once we receive a Non-authoritative answer: with the saved token, we can continue the certificate issuance.
Once the process has completed you will receive a message of your certificate being available:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/slaptest.erp5.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/slaptest.erp5.net/privkey.pem Your cert will expire on 2018-06-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le