Generating your first Wildcard SSL Certificate via Certbot/Let’s Encrypt

We've issued over 10k wildcard certificates in the first 48 hours of wildcard and ACMEv2 availability. More about wildcards and ACMEv2 can be found here: https://t.co/0SdH98Oabn

— Let's Encrypt (@letsencrypt) 15 March 2018

With over ten thousand wildcard certificates issued by Let’s Encrypt, we’re seeing HTTPS adoption skyrocket towards the moon, and that’s an investment you can take to the bank.

Remember, browser vendors are increasingly concerned for users’ overall safety. In fact, Chrome will soon mark all unencrypted pages as "not secure", which gives us yet another reason to secure our sites via Let’s Encrypt.

Without further ado, here’s how we generated a Wildcard SSL certificate for NodeBB. We use it for newly-created instances in our hosting, which are by default given a subdomain under the .nodebb.com domain.

Step 1: Install Certbot

We use Certbot (formerly Let’s Encrypt) to generate and renew our certificates. Certbot provides installation instructions for Ubuntu 16.04 + Nginx, which is the stack we’ll be using in this tutorial.

Alternatively, you can install Certbot/Let’s Encrypt via their Github repository:

# cd /opt
# git clone https://github.com/certbot/certbot.git

Step 2: Generate SSL certificate

certbot-auto certonly --manual --preferred-challenges=dns --email your@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com

Currently, only the v02 endpoint supports wildcard certificates, so we will explicitly set this via the --server flag.

Replace your email and domain as necessary. As we’re generating a wildcard certificate, make sure you start off the domain with *..

If you want to generate multiple certificates, append additional -d sections to the command, e.g. -d example.com

Scared? Not to worry, you can test against Let’s Encrypt’s staging endpoint by changing the --server flag to read https://acme-staging-v02.api.letsencrypt.org/directory. Certbot will generate a test certificate which can’t be used in production, but you’ll get to see how it all works before you pull the trigger for real.

Step 3: Make DNS record change to prove ownership

For wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the --preferred-challenges=dns flag. When included, Certbot will ask you to add a specific TXT record to your DNS records. Refer to your DNS provider’s documentation if you are unclear on how to add new records.

At this point, Certbot will ask you to add the DNS record:

In your DNS provider, you’ll create a new DNS TXT record with:

• Record Name: _acme-challenge (you may or may not need the .example.com suffix depending on your DNS provider.
• Record Value: VWHqMqojnAZb8oLV2ZMaqaeUUyiTAX4-3KeokqJ69hE (replace this with the value provided by Certbot)

Save your DNS settings and hit Enter in the Certbot window to trigger the check.

Step 4: Verify certificate success (Optional)

At this point, you should receive the congratulatory message, stating your certificate is ready for use. Double-check this if you’d like by running the certificates command:

~# certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log -------------------------------------------------------------------------------
Found the following certs: Certificate Name: nodebb.com Domains: *.nodebb.com Expiry Date: 2018-06-14 18:18:58+00:00 (INVALID: TEST_CERT) Certificate Path: /etc/letsencrypt/live/nodebb.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/nodebb.com/privkey.pem
-------------------------------------------------------------------------------

In my case, for this blog post, I generated a test certificate via the staging endpoint. Yours should say VALID instead 🙂

That’s it! Now you can deploy your new wildcard certificate. The certificate itself is valid for three months (as is standard with all ACME certificates), so you will need to run certbot-auto renew manually every couple months to renew this certificate as it currently involves a manual step for the DNS verification step.

In a future post, I’ll talk about hooking in the Cloudflare DNS plugin (which we use at NodeBB) to automatically process the ACME challenge for a truly automated SSL setup.

Obligatory plug for NodeBB

Did you know that all NodeBB forums come with free SSL certificates? It’s not exactly a surprise since Let’s Encrypt "[gives] people the digital certificates they need in order to… create a more secure and privacy-respecting Web.

Every hosted instance on a *.nodebb.com url will come set up with an SSL certificate, and if you want to use your own (sub)domain, feel free to contact us and we can easily generate a certificate matching your domain as well, once the DNS records are properly set up. Contact us today!