This document will explain how to add a wildcard SSL certificate to a server
to enable SSL communication. We will use Letsencrypt
to create the certificate.
Note, that the setup process will require acccess to a DNS server.
Setting/Updating DNS depends on the respective hosting domain/provider and is thus
not covered in detail in this tutorial.
# Add CNAME to your provide DNS settings:
*.[your_wildcard_domain] CNAME IN [your_ip]
In order to get a SSL certificate we first need a domain to point to the
server we want to provide the SSL certificate for.
For our example we will use the domain *.slaptext.erp5.net which points
to our sample server 22.214.171.124. DNS Updates have to be made with
your respective domain/hosting provider. In our case, we need to add the
following CNAME to our (own!) DNS settings:
*.slaptest.erp5.net CNAME IN 126.96.36.199
DNS changes usually take up to 48h to propagate. You can check whether
your DNS update is working by opening a terminal verifying you can ping your
chronos@localhost ~/Downloads $ ping a.slaptest.erp5.net
PING a.slaptest.erp5.net (188.8.131.52) 56(84) bytes of data.
64 bytes from ip-167-114-246.eu (184.108.40.206): icmp_seq=1 ttl=52 time=21.1 ms
64 bytes from ip-167-114-246.eu (220.127.116.11): icmp_seq=2 ttl=52 time=17.1 ms
64 bytes from ip-167-114-246.eu (18.104.22.168): icmp_seq=3 ttl=52 time=17.2 ms
--- a.slaptest.erp5.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 17.103/18.528/21.186/1.881 ms
Letsencrypt will be used for creating
a wildcard SSL certificate (quick info how Letsencrypt works).
There are different clients available and both Certbot and Dehydrated support wildcard SSL certificate issuance at the time of writing. The following
steps will be done using Certbot and following the steps described in
this blog post.
$ sudo su
# wget https://dl.eff.org/certbot-auto
# chmod a+x ./certbot-auto
# sudo ./certbot-auto
To begin ssh into your server and install Certbot using wget. Certbot will
probably report an error at the end that it was not able to find the
executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
and that it doesn't know how to automatically configure the web server on
this system. As we will be using just the certonly command in the
next step, it is ok to continue.
sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
Once installation has finished, try running certbot as shown above.
Note, that this command uses the https://acme-v02.api.letsencrypt.org/directory
production API endpoint. If you want to experiment and to not run into the
Letsencrypt production quotas while testing certificate generation you could also
use one of the staging access points described here.
Also note, there are two types of challenges for verifying that you have
access to a domain - http-01 which will require setting up a webserver
and providing a challange file for every domain and dns-01 which is used
here where a file has to be set directly on the DNS server. For more
information on how letsencrypt and dehydrated use hooks for DNS challenges,
you can have a look at letsencrypt
Provide an email address (optional) and fill out the questions until you receive a challenge.
Please deploy a DNS TXT record under the name
_acme-challenge.slaptest.erp5.net with the following value:
Before continuing, verify the record is deployed.
Press Enter to Continue
During the certificate generation you will eventually be presented with the
above message. Head over to your DNS server and add the record in the zone
file used by your domain (erp5.net in our case):
_acme-challenge.slaptest 10800 IN TXT "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"
# try to request token using dnsutils in another terminal
root@slapostest2:/# sudo apt-get install dnsutils
root@slapostest2:/# nslookup -type=TXT _acme-challenge.slaptest.erp5.net
*** Can't find _acme-challenge.slaptest.erp5.net: No answer
DNS changes need up to 48h to propagate. You can check whether you can
request the token by installing dnsutils and calling nslookup.
Once you receive a Non-authoritative answer: with the saved token, you
can continue the certificate issuance.
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-06-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Once the process has completed you will receive the
above message informing you that your certificate
The files required to continue can be found in the directory mentioned.
# ls /etc/letsencrypt/live/nms.nexedi.cn/
cert.pem chain.pem fullchain.pem privkey.pem README
Check the Certbot
documentation for more information on the location of certificate files
and SO for info on the different formats.