Most Powerful Open Source ERP

OSTV HowTo - Request and Setup A Wildcard SSL Certificate

TRACK - Document showing how to add a wildcard SSL certificate created by Letsencrypt.
  • Last Update:2018-10-15
  • Version:002
  • Language:en

HowTo Request and Setup a Wildcard SSL Certificate

This document will explain how to add a wildcard SSL certificate to a server to enable SSL communication. We will use Letsencrypt to create the certificate.

Note, that the setup process will require acccess to a DNS server.

Table of Content

  • DNS Update
  • Requesting SSL Certificate

DNS Update

Setting/Updating DNS depends on the respective hosting domain/provider and is thus not covered in detail in this tutorial.

Creating CNAME Record

# Add CNAME to your provide DNS settings:

*.[your_wildcard_domain] CNAME IN [your_ip]

In order to get a SSL certificate we first need a domain to point to the server we want to provide the SSL certificate for.

For our example we will use the domain *.slaptext.erp5.net which points to our sample server 167.114.246.26. DNS Updates have to be made with your respective domain/hosting provider. In our case, we need to add the following CNAME to our (own!) DNS settings:

*.slaptest.erp5.net CNAME IN 167.114.246.26

DNS changes usually take up to 48h to propagate. You can check whether your DNS update is working by opening a terminal verifying you can ping your domain:

chronos@localhost ~/Downloads $ ping a.slaptest.erp5.net
PING a.slaptest.erp5.net (167.114.246.26) 56(84) bytes of data.
64 bytes from ip-167-114-246.eu (167.114.246.26): icmp_seq=1 ttl=52 time=21.1 ms
64 bytes from ip-167-114-246.eu (167.114.246.26): icmp_seq=2 ttl=52 time=17.1 ms
64 bytes from ip-167-114-246.eu (167.114.246.26): icmp_seq=3 ttl=52 time=17.2 ms
^C
--- a.slaptest.erp5.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 17.103/18.528/21.186/1.881 ms

Requesting SSL Certificate

Letsencrypt will be used for creating a wildcard SSL certificate (quick info how Letsencrypt works). There are different clients available and both Certbot and Dehydrated support wildcard SSL certificate issuance at the time of writing. The following steps will be done using Certbot and following the steps described in this blog post.

Install Certbot

$ sudo su
# wget https://dl.eff.org/certbot-auto
(...)
# chmod a+x ./certbot-auto
# sudo ./certbot-auto

To begin ssh into your server and install Certbot using wget. Certbot will probably report an error at the end that it was not able to find the executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin and that it doesn't know how to automatically configure the web server on this system. As we will be using just the certonly command in the next step, it is ok to continue.

Run Certbot

sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.slaptest.erp5.net

Once installation has finished, try running certbot as shown above.

Note, that this command uses the https://acme-v02.api.letsencrypt.org/directory production API endpoint. If you want to experiment and to not run into the Letsencrypt production quotas while testing certificate generation you could also use one of the staging access points described here.

Also note, there are two types of challenges for verifying that you have access to a domain - http-01 which will require setting up a webserver and providing a challange file for every domain and dns-01 which is used here where a file has to be set directly on the DNS server. For more information on how letsencrypt and dehydrated use hooks for DNS challenges, you can have a look at letsencrypt domain verification.

Provide an email address (optional) and fill out the questions until you receive a challenge.

DNS TXT Challenge Record

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.slaptest.erp5.net with the following value:
 
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

During the certificate generation you will eventually be presented with the above message. Head over to your DNS server and add the record in the zone file used by your domain (erp5.net in our case):

_acme-challenge.slaptest 10800 IN TXT "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"

Verify DNS Challenge

# try to request token using dnsutils in another terminal
root@slapostest2:/# sudo apt-get install dnsutils
(...)
root@slapostest2:/# nslookup -type=TXT _acme-challenge.slaptest.erp5.net
Server:         xxx.xxx.xx.xx
Address:        xxx.xxx.xx.xx#xx

Non-authoritative answer:
*** Can't find _acme-challenge.slaptest.erp5.net: No answer

DNS changes need up to 48h to propagate. You can check whether you can request the token by installing dnsutils and calling nslookup. Once you receive a Non-authoritative answer: with the saved token, you can continue the certificate issuance.

Certificate Issued

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/slaptest.erp5.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/slaptest.erp5.net/privkey.pem
   Your cert will expire on 2018-06-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Once the process has completed you will receive the above message informing you that your certificate is available.

The files required to continue can be found in the directory mentioned.

# ls /etc/letsencrypt/live/nms.nexedi.cn/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Check the Certbot documentation for more information on the location of certificate files and SO for info on the different formats.

Thank You

Image Nexedi Office
  • Nexedi SA
  • 147 Rue du Ballon
  • 59110 La Madeleine
  • France