080

How to Get Letsencrypt Wildcard Certificate (Using Letsencrypt Nginx DNS Challenge)

YouTube Tutorial

Prerequisites

• Ubuntu 20.04
• Nginx
• Certbot
• Watch this before: How to Secure Nginx with Lets Encrypt on Ubuntu 20.04 with Certbot? - https://youtu.be/R5d-hN9UtpU

1. Get Letsencrypt Wildcard Certificate

• Request wildcard certificate

sudo certbot certonly --manual --preferred-challenges dns --test-cert

• Enter *.devopsbyexample.io
• Create TXT record with following value: _acme-challenge.devopsbyexample.io. - <generated value>
• Anycast
• Verify with dig -t txt

dig -t txt +short _acme-challenge.devopsbyexample.io

• Press enter

Certificate is saved at: /etc/letsencrypt/live/devopsbyexample.io/fullchain.pem
Key is saved at: /etc/letsencrypt/live/devopsbyexample.io/privkey.pem

• Decode certificate

sudo openssl x509 -in /etc/letsencrypt/live/devopsbyexample.io/fullchain.pem -text -noout

2. Set Up Nginx SSL Wildcard Server Block

• Create folder for website

sudo mkdir -p /usr/share/devopsbyexample.io/html

• Update ownership

sudo chown -R $USER:$USER /usr/share/devopsbyexample.io/html

• Update permissions

sudo chmod -R 755 /usr/share/devopsbyexample.io

• Create index.html page

vi /usr/share/devopsbyexample.io/html/index.html

<html>
    <head>
        <title>Welcome!</title>
    </head>
    <body>
        <h1>Wildcard server block is working!</h1>
    </body>
</html>

• Create nginx server block

sudo vi /etc/nginx/conf.d/devopsbyexample.io.conf

server {
    listen 80;

    root /usr/share/devopsbyexample.io/html;
    index index.html;

    server_name *.devopsbyexample.io;

    location / {
            try_files $uri $uri/ =404;
    }
}

• Test nginx config

sudo nginx -t

• Reload nginx config

sudo nginx -s reload

• Create api.devopsbyexample.io and hello.devopsbyexample.io A records
• Try https://api.devopsbyexample.io/
• Verify with dig

dig +short api.devopsbyexample.io

dig +short hello.devopsbyexample.io

• Check in the browser http://api.devopsbyexample.io

3. Secure Nginx with Lets Encrypt Certificate

• Update nginx config

sudo vi /etc/nginx/conf.d/devopsbyexample.io.conf

server {
    listen 80;
    server_name *devopsbyexample.io;
    return 301 https://$host$request_uri;
}

server {
    listen              443 ssl;
    ssl_certificate     /etc/letsencrypt/live/devopsbyexample.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/devopsbyexample.io/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

• Test nginx config

sudo nginx -t

• Fix server_name
• Reload nginx config

sudo nginx -s reload

• Go to https://api.devopsbyexample.io/ and https://hello.devopsbyexample.io/

Links

• Challenge Types