Install Let’s Encrypt Wildcard SSL Certificate With Nginx

Secure a  Webite with Let’s Encrypt Wild card SSL Certificate

Steps:

1. Install Let’s Encrypt on Ubuntu 16.04 server
2. Install Nginx
3. Setup DNS to serve all the subdomains
4. Obtaining wildcard ssl certificate from Let’s Encrypt
5. Configuring Nginx to serve wildcard subdomains
6. Test and restart Nginx

Step1: Installing Let’s Encrypt on Ubuntu 16.04 server

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

Step 2: Installing Nginx

$ sudo apt-get update
$ sudo apt-get install nginx

Step 3: Setup DNS to serve all the subdomains

Create a custom A record, HOST * POINTS TO: Your IP Address(Eg: 143.21.0.18)
Create a custom A record, HOST @ POINTS TO: Your IP Address(Eg: 143.21.0.18)
Add a CNAME record, HOST www POINTS TO @ this refers to your IP address.

Step 4: Obtaining wildcard ssl certificate from Let’s Encrypt

$ sudo certbot –server https://acme-v02.api.letsencrypt.org/directory -d *.example.com –manual –preferred-challenges dns-01 certonly
You’ll be prompted to enter your email address for urgent renewal and security notices. Read and agree to the terms and conditions and answer (Y)es to the subsequent questions.
 
 
console_wildcardssl_verify
 
Once you get the DNS TXT as it can be seen below you have to login domain panel after that add this value and host name there.
 
valid_txt_record_created
 
 
 
And then hit enter.
 
 
console_wildcardssl_verify
 
 
After you add the said TXT record, confirm the DNS has updated before you hit enter. You can check if the DNS has been properly updated using dig
$ dig _acme-challenge.pasls.com TXT # checking in local DNS server
$ dig @8.8.8.8 _acme-challenge.pasls.com TXT # checking at Google DNS server
Once you see the challenge text in the answer section, press Enter in the certbot terminal.
Note:- Replace example.com with your domain name
Deploy a DNS TXT record provided by Let’s Encrypt certbot after running the above command

Step 5: Configuring Nginx to serve wildcard subdomains

Open the file sudo vi /etc/nginx/sites-available/default and the following code in the file

server {
   listen 80;
   listen [::]:80;
   server_name *.example.com;
   return 301 https://$host$request_uri;
}
 
server {
   listen 443 ssl;
   server_name *.example.com;
   ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
   ssl_certificate /etc/letsencrypt/live/example.com/privkey.pem;
   include /etc/letsencrypt/options-ssl-nginx.conf;
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
   root /var/www/example.com;
   index index.html;
   location / {
      try_files $uri $uri/ =404;
   }
}


Note:- Replace example.com with your domain name.
The above server block is listening on port 80 and redirects the request to the server block below it that is listening on port 443.

Step 6: Test and restart Nginx

Test Nginx configuration using sudo nginx -t
If it’s successful reload Nginx using sudo /etc/init.d/nginx reload
Nginx is now setup to handle wildcard subdomains.

Refrences:

https://blog.codeship.com/how-to-deploy-wildcard-ssl-certificates-using-lets-encrypt/
https://medium.com/@utkarsh_verma/how-to-obtain-a-wildcard-ssl-certificate-from-lets-encrypt-and-setup-nginx-to-use-wildcard-cfb050c8b33f