Secure a Webite with Let’s Encrypt Wild card SSL Certificate
Steps:
1. Install Let’s Encrypt on Ubuntu 16.04 server
2. Install Nginx
3. Setup DNS to serve all the subdomains
4. Obtaining wildcard ssl certificate from Let’s Encrypt
5. Configuring Nginx to serve wildcard subdomains
6. Test and restart Nginx
Step1: Installing Let’s Encrypt on Ubuntu 16.04 server
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
Step 2: Installing Nginx
$ sudo apt-get update
$ sudo apt-get install nginx
Step 3: Setup DNS to serve all the subdomains
Create a custom A record, HOST * POINTS TO: Your IP Address(Eg: 143.21.0.18)
Create a custom A record, HOST @ POINTS TO: Your IP Address(Eg: 143.21.0.18)
Add a CNAME record, HOST www POINTS TO @ this refers to your IP address.
Step 4: Obtaining wildcard ssl certificate from Let’s Encrypt
$ sudo certbot –server https://acme-v02.api.letsencrypt.org/directory -d *.example.com –manual –preferred-challenges dns-01 certonly
You’ll be prompted to enter your email address for urgent renewal and security notices. Read and agree to the terms and conditions and answer (Y)es to the subsequent questions.
Once you get the DNS TXT as it can be seen below you have to login domain panel after that add this value and host name there.
And then hit enter.
After you add the said TXT record, confirm the DNS has updated before you hit enter. You can check if the DNS has been properly updated using dig
$ dig _acme-challenge.pasls.com TXT # checking in local DNS server
$ dig @8.8.8.8 _acme-challenge.pasls.com TXT # checking at Google DNS server
Once you see the challenge text in the answer section, press Enter in the certbot terminal.
Note:- Replace example.com with your domain name
Deploy a DNS TXT record provided by Let’s Encrypt certbot after running the above command
Step 5: Configuring Nginx to serve wildcard subdomains
Open the file sudo vi /etc/nginx/sites-available/default and the following code in the file
server {
listen 80;
listen [::]:80;
server_name *.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
root /var/www/example.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Note:- Replace example.com with your domain name.
The above server block is listening on port 80 and redirects the request to the server block below it that is listening on port 443.
Step 6: Test and restart Nginx
Test Nginx configuration using sudo nginx -t
If it’s successful reload Nginx using sudo /etc/init.d/nginx reload
Nginx is now setup to handle wildcard subdomains.
Refrences:
https://blog.codeship.com/how-to-deploy-wildcard-ssl-certificates-using-lets-encrypt/
https://medium.com/@utkarsh_verma/how-to-obtain-a-wildcard-ssl-certificate-from-lets-encrypt-and-setup-nginx-to-use-wildcard-cfb050c8b33f