🤖 How to get Certbot wildcard certificates
This is a 3 steps for how to get Certbot wildcard certificates. In the example, I am using my domain catcat.io, but you can simply replace the name with your domain.
- SSH into your server (I use DigitalOcean) and run this
# To ensure python will not throw error
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
sudo dpkg-reconfigure locales
# Get the source
git clone https://github.com/certbot/certbot
cd certbot# Run certbot auto
./certbot-auto --os-packages-only# New version doesn't need this, please skip
./tools/venv.sh
source venv/bin/activate# Ask for cert
./certbot-auto -d catcat.io -d *.catcat.io --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly
2. You will be asked to submit a DNS TXT record twice in your domain provider
Add the values from your command line as 2 separate TXT record values.
You will see the 2 TXT records there
3. Now that the DNS TXT records have been deployed, return to the command line and hit enter.
Press Enter to Continue
Waiting for verification...
Cleaning up challengesIMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/catcat.io-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/catcat.io-0001/privkey.pem
Your cert will expire on 2018-07-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
PS : Above is a fake acme-challenge so no censor required, just DO NOT share yours :)
Extra step for old certificate
Your new certificate will create a new folder at catcat.io-0001. You can pick from 2 options to enable your server to use this new certificate.
- Update your nginx SSL config to point to the new catcat.io-0001 folder
- Rename any catcat.io-0001 to catcat.io (after backup)
mv /etc/letsencrypt/live/catcat.io-0001 /etc/letsencrypt/live/catcat.iomv /etc/letsencrypt/renewal/catcat.io-0001.conf /etc/letsencrypt/renewal/catcat.io.conf# use sed or manual replace catcat.io-0001 to catcat.io via nano
nano /etc/letsencrypt/renewal/catcat.io.conf# OR via command line (do backup first)
sed -e "s|catcat.io-0001|catcat.io|g" /etc/letsencrypt/renewal/catcat.io.conf > /etc/letsencrypt/renewal/catcat.io.conf
I chose #2 to keep the directory names cleaner. Ensure any subdomains in the NGINX config point to the new SSL certificate.
nano /etc/nginx/conf.d/default.confensure this two exists and correct
ssl_certificate /etc/letsencrypt/live/catcat.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/catcat.io/privkey.pem;Then restart NGINX and you should get subdomain TLS working! yeah!
service nginx restart
Enjoy this tutorial? Support below! :D
XLM : GDI6FBVJSHMF5PF6C7DDM57NAGYTYWMQQW2A6BVA6DTS2ZL7ZDRZBI2S
ETH : 0x3E84004C41786CdC409F9355E6eF133f70907Da1
