How to Install Let’s Encrypt Wildcard SSL For Your Domain – ACME v2

by Sandy

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Basically they provide hassle free no cost ssl for your domains, recently Let’s Encrypt introduced WIldcard ssl for your domain, now you can use wildcard free ssl for your domain and for multiple subdomain with just single SSL cert (no need to issue certs for every subdomain) even WordPress MultiSite (https ) run fine with it.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

In this tutorial we’ll cover and Issue Wildcard Let’s Encrypts ssl for domain. This tutorial will work on several Linux distributions like Redhat, CentOS (el6, el7), Ubuntu, fedora etc. Let’s get started :-

Step 1

Change the directory to root :

cd /root

Step 2

For Let’s Encrypt to work we need ACME client protocol (also ensure cURL is installed) :

yum install socat
curl https://get.acme.sh | sh

OR

yum install socat git
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

you’ll see it will download and add acme script.

Step 3

Issuing wildcard ssl for domain via command line :
this command will ask you to add some dns TXT records for validation purpose it is necessory to add those record otherwise cert issuing will fail.

acme.sh  --issue -d mysterydata.com  -d  *.mysterydata.com  --dns --force

if you’re getting :
It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode

then run this command (recommended):

acme.sh  --issue -d mysterydata.com  -d  *.mysterydata.com  --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

* replace mysterydata.com with your domain name

after you run this command it will ask you to add TXT record like below :

[root@demo ~]# acme.sh  --issue -d mysterydata.com  -d  *.mysterydata.com  --dns --force
[Wed Mar 14 10:18:10 EDT 2018] Registering account
[Wed Mar 14 10:18:13 EDT 2018] Registered
[Wed Mar 14 10:18:13 EDT 2018] ACCOUNT_THUMBPRINT='MO7DtJidci1tp4CNPDUbQA0_jPjR3tKy8uQE-Q_Bb7k'
[Wed Mar 14 10:18:13 EDT 2018] Creating domain key
[Wed Mar 14 10:18:13 EDT 2018] The domain key is here: /root/.acme.sh/mysterydata.com/mysterydata.com.key
[Wed Mar 14 10:18:13 EDT 2018] Multi domain='DNS:mysterydata.com,DNS:*.mysterydata.com'
[Wed Mar 14 10:18:13 EDT 2018] Getting domain auth token for each domain
[Wed Mar 14 10:18:15 EDT 2018] Getting webroot for domain='mysterydata.com'
[Wed Mar 14 10:18:15 EDT 2018] Getting webroot for domain='*.mysterydata.com'
[Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record:
[Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.mysterydata.com'
[Wed Mar 14 10:18:15 EDT 2018] TXT value: 'YABz8SMXk_qqrIrUgx5_DWSjBUSuDsdvIxJ4RIEwMUQ'
[Wed Mar 14 10:18:15 EDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Mar 14 10:18:15 EDT 2018] so the resulting subdomain will be: _acme-challenge.mysterydata.com
[Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record:
[Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.mysterydata.com'
[Wed Mar 14 10:18:15 EDT 2018] TXT value: 'j4x7b-mzV7cCYCHT_LfLaAW0wDYMeeYayMMvindIGko'
[Wed Mar 14 10:18:15 EDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Mar 14 10:18:15 EDT 2018] so the resulting subdomain will be: _acme-challenge.mysterydata.com
[Wed Mar 14 10:18:15 EDT 2018] Please add the TXT records to the domains, and retry again.
[Wed Mar 14 10:18:15 EDT 2018] Please add '--debug' or '--log' to check more details.
[Wed Mar 14 10:18:15 EDT 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

You can see the TXT records are already mentioned here as :

[Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record:
[Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.mysterydata.com'
[Wed Mar 14 10:18:15 EDT 2018] TXT value: 'YABz8SMXk_qqrIrUgx5_DWSjBUSuDsdvIxJ4RIEwMUQ'

[Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record:
[Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.mysterydata.com'
[Wed Mar 14 10:18:15 EDT 2018] TXT value: 'j4x7b-mzV7cCYCHT_LfLaAW0wDYMeeYayMMvindIGko'

Now you need to add this records don’t add this eg. use the actual TXT record which shown on your shell console (A records DNS and TXT record):

A record _acme-challenge.mysterydata.com poiniting to the server IP

TXT record _acme-challenge.mysterydata.com
value : “YABz8SMXk_qqrIrUgx5_DWSjBUSuDsdvIxJ4RIEwMUQ”

TXT record _acme-challenge.mysterydata.com
value : “j4x7b-mzV7cCYCHT_LfLaAW0wDYMeeYayMMvindIGko”

Add wildcard dns :

*.mysterydata.com. 14400 IN A 107.152.32.123

* replace mysterydata.com with your domain name

ultimately DNS config will look like this :

Step 4 :

After adding the DNS wait for the DNS propagation and run this command to issue the certs :

acme.sh  --renew  -d mysterdata.com  -d  *.mysterdata.com  --dns --force

* replace mysterydata.com with your domain name

Or (recommeneded) :

acme.sh  --renew  -d mysterdata.com  -d  *.mysterdata.com  --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

* replace mysterydata.com with your domain name

this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.

you can check TXT record updated or not via this command :

dig -t txt dig -t txt _acme-challenge.mysterydata.com

* replace mysterydata.com with your domain name

all set, you’ll see certs are now issued successfully. Cert, Chain file and Private Key will be saved under :

/root/.acme.sh/yourdomain.com

with name :
mysterydata.com.cer <<=== Cert file
mysterydata.com.key <<=== Private Key
fullchain.cer <<=== CA Chain file/bundle file

Now you can use this file in ssl vhost just update/add the path (you can search on google how to add ssl vhost for nginx and Apache) :

Also ensure you’ve enabled wildcard vhost for apache or nginx whatever your main webserver is. Or use multiple vhost with same cert paths as mentioned below.

apache :

SSLCertificateFile /root/.acme.sh/mysterydata.com/mysterydata.com.cer
SSLCertificateKeyFile /root/.acme.sh/mysterydata.com/mysterydata.com.key
SSLCertificateChainFile /root/.acme.sh/mysterydata.com/fullchain.cer

nginx :

ssl_certificate     /root/.acme.sh/mysterydata.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/mysterydata.com/mysterydata.com.key;

* replace mysterydata.com with your domain name

Step 5 :

To renew the certs you just need to run this command ensure you run this command in 90 days, update TXT dns record if shown as mentioned above in step 3:

acme.sh --issue -d mysterydata.com -d *.mysterydata.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

or

acme.sh --renew -d mysterdata.com -d *.mysterdata.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

* replace mysterydata.com with your domain name

Automatic Cert Renew (only if you used Auto DNS add via API):

For more info about DNS api and how to do it visit this offiial page : https://github.com/Neilpang/acme.sh/tree/master/dnsapi Auto renew let’s encrypt certs via Cron job : add this daily cron for the auto renew check :

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null 

Thats it you’ve enable Let’s encrypt wildcard SSL, Let me know if you find this article helpful 🙂

If this post helps you in any way please consider a donation

Donate with PayPal :

md-donate

Donate with Paytm :

md-donate

You may also like

10
Leave a Reply

avatar
5 Comment threads
5 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
7 Comment authors
LafinDanSandyDanCueStevarino Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
LucasT
Guest
LucasT

Thanks! Working !

Trung
Guest

Hi
I run this command
acme.sh –issue -d mydomain.com -d *.mydomain.com –dns –force
and it shows
It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
What can I do to upgrade my existing Let’s encrypt SSL with Let’s encrypt SSL Wildcard

Thanks

Stevarino
Guest

Made it to the last part of step 4, generated the .cer, .key, and fullchain.cer – they reside in the location as specified above. Now, I’m stumped as to what to do next. I’m using Hostinger and thought that installing the generated cert and key in their SSL panel would work. It did install after copying and pasting the .cer and .key values but my sub-domains are not secured. Any more insight into this would be greatly appreciated!

DanCue
Guest
DanCue

I’m getting an error when trying to set a cron job for auto renewal. -bash: 0: command not found. my path is /home/DanCue/ instead of root so I used:

0 0 * * * /home/DanCue/.acme.sh/acme.sh –cron –home /home/DanCue/.acme.sh

Any help with this would her appreciated.

DanCue
Guest
DanCue

I can run it manually.
$ /home/DanCue/.acme.sh/acme.sh –cron –home /home/DanCue/.acme.sh
[Sat Sep 1 12:29:58 EDT 2018] ===Starting cron===
[Sat Sep 1 12:29:58 EDT 2018] Renew: ‘example.com’
[Sat Sep 1 12:29:58 EDT 2018] Skip, Next renewal time is: Wed Oct 31 02:26:43 UTC 2018
[Sat Sep 1 12:29:58 EDT 2018] Add ‘–force’ to force to renew.
[Sat Sep 1 12:29:58 EDT 2018] Skipped example.com
[Sat Sep 1 12:29:58 EDT 2018] ===End cron===

Dan
Guest
Dan

chmod +x /home/DanCue/.acme.sh/acme.sh

Lafin
Guest

I accidentally remove the verify hashcode, do we have any chance to get them back?

I use Centos x64 7.6, VestaCP and DNS of Godaddy.com