At the beginning of 2018, Let’s Encrypt announced it was about to provide Wildcard SSL. After many delays, finally today, we were able to sign up for this certification free of charge.
Specifically, Let’s Encrypt Wildcard SSL is SSL certificate can be used for all subdomains of the domain name of the form *.domain.com
. You only need to activate once the entire subdomain can be installed using the certificate immediately. Wildcard SSL is ideal for using multiple subdomains like WordPress Multisite (subdomain)….
The process of installing Wildcard SSL certificate is slightly different than the normal Let’s Encrypt installation, and not everyone needs to use Wildcard should learn VPS will write a separate tutorial. Wildcard SSL also has a 3 month grace period so you need to configure the crib to automatically renew crontab.
*** If you are using CloudFlare, disable the hidden IP feature by clicking the cloud switch to off ( gold to grey )
1. Prepare the system
– Install Let’s Encrypt (skip if done)
# yum -y install git && git clone https://github.com/letsencrypt/letsencrypt / opt / letsencrypt
– Wildcard SSL requires Cerbot version 0.22.0 or higher. Version checking automatically updates Certbot to the latest version.
# cd / opt / letsencrypt # ./letsencrypt-auto --version Upgrading certbot-auto 0.21.1 to 0.22.0 ... Replacing certbot-auto ... certbot 0.22.0
2. Activate the Let’s Encrypt Wildcard SSL certificate
Wildcard SSL is only for subdomains of the form *.domain.com
, not secure domain.com
. So, if you need to, you should enable SSL and Wildcard SSL domains simultaneously in one certificate.
The example in this tutorial will guide you to issuing certificates for both the domain trustedhostingadvice.com and all subdomains *.trustedhostingadvice.com
.
# cd / opt / letsencrypt # ./letsencrypt-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d trustedhostingadvice.com -d * .trustedhostingadvice.com
Let’s Encrypt will install the necessary tools. Then enter your email address, agree to the rules.
Saving debug logs to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None EMAIL ADDRESS (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@gmail.com ------------------------------------------ -------------------------------------
Enter the email address used to send the notification.
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. https://acme-v02.api.letsencrypt.org/directory ---------------------------------------------- ----------------------------- (A) gree / (C) ancel: A ---------------------------------------------- ----------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, and founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to email you about EFF and our work to encrypt the web, protect its users and defend digital rights. ---------------------------------------------- ----------------------------- (Y) es / (N) o: N
Accept the press rule A
and agree to receive the news via email, Y/N
is.
Obtaining a new certificate Performing the following challenges: dns-01 challenge for trustedhostingadvice.com dns-01 challenge for trustedhostingadvice.com ---------------------------------------------- ----------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ---------------------------------------------- ----------------------------- (Y) es / (N) o: N --------------------------------------- ----------------------------------------
Agree to share IP Log information Y/N
Let's install one DNS TXT named: _acme-challenge.trustedhostingadvice.com with the following value: 5 as12ras1bc30ascd1rCasas5172y12nj121212gM4vp-w Gi continuing, verify the record is deployed. ---------------------------------------------- ----------------------------- Press Enter to Continue ---------------------------------------------- ----------------------------- Type DNS TXT called _acme-challenge.easypromocode.com with the following value: dWY-as1k21kaAAnn1zcnjj0-129sasnnn12njnjj122njj-w Gi continuing, verify the record is deployed. ---------------------------------------------- ----------------------------- Press Enter to Continue
This is the most important step, authenticating domain ownership by creating two TXT records with content displayed on the screen. Then press Enter.
If no matter what happens, you get the message congratulations Congratulations! as below:
Waiting for verification ... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/trustedhostingadvice.com/fullchain.pem Your file was saved at: /etc/letsencrypt/live/trustedhostingadvice.com/privkey.pem Your cert will expire on 2018-07-26. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew * all * of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Check the certificate content
# ./letsencrypt-auto certificates
Saving debug logs to /var/log/letsencrypt/letsencrypt.log ---------------------------------------------- ----------------------------- Found the certs: Certificate Name: trustedhostingadvice.com Domains: trustedhostingadvice.com * .trustedhostingadvice.com Expiry Date: 2018-06-16 14: 51: 20 + 00: 00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/trustedhostingadvice.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/trustedhostingadvice.com/privkey.pem ---------------------------------------------- -----------------------------
So, you’ve successfully issued the Let’s Encrypt certificate – including DV SSL and Wildcard SSL.