Wildcard certificates with Let’s Encrypt and DigitalOcean

About

This is more of a quick tutorial for me so I don’t forget rather than a comprehensive guide on the subject and tools. There are a lot of external links in this article if you’re keen to read more.

Background

Let’s Encrypt has always been a really interesting project to follow – in short, you can think of it as an API for free SSL/TLS certificates. It uses the ACME (Automated Certificate Management Environment) protocol to communicate with it’s users.

The good people at EFF have done some amazing work and integrated automatic wildcard certificate creation/renewal in their API client, certbot. The ability to handle wildcard certificates was finally released with ACME API v2 in March 2018 and certbot v0.22.0 and newer. This made a lot of people on the Internet very happy 🙂

Another great thing about certbot is it’s modular structure which allows you to use modules to install the newly created certificates in your web servers or to automatically perform the domain validation for you to prove that you own the domain.

Instructions

Let’s talk about an example where you have multiple domains with DigitalOcean, one of the leading cloud providers in the market. I’m expecting you to be on a Debian-based system, maybe Ubuntu 16.04. Ubuntu 16.04 is a good example because the version of certbot that ships with it is newer than v0.22.0 and thus can handle wildcard certificates.

To install certbot and the DigitalOcean plugin simply type:

sudo apt install --yes \
     certbot \
     python3-certbot-dns-digitalocean

You can verify that the plugin is installed and working via:

certbot plugins

Which should show the “dns-digitalocean” plugin.

The next you will want to do is create a new dedicated API key for this, call it something like “letsencrypt” so you will know in future what the key is used for. You need to store that key on the your machine – replace “KEY” with your actual DigitalOcean API key in the commands below:

sudo touch /etc/letsencrypt/digitalocean_api.key
sudo chmod 400 /etc/letsencrypt/digitalocean_api.key
sudo bash -c "echo 'dns_digitalocean_token = KEY' > /etc/letsencrypt/digitalocean_api.key"

If you’re like me, and you like to be in charge of the certificate installation yourself, certbot lets you pass in the sub-command certonly which will only fetch the certificates for the domains you’ve specified and not modify your web server configuration. In saying that, I did do a test run with nginx and certbot and the nginx installer plugin did a magnificent job of updating the nginx configuration. I recommend that you look have a look at the other certbot sub-commands while for this example we’ll be using certonly.

sudo certbot certonly \
   --dns-digitalocean 
   --dns-digitalocean-credentials \
       /etc/letsencrypt/digitalocean_api.key \
   -d *.domain1.tld \
   -d domain1.tld \
   -d *.domain2.tld \
   -d domain2.tld

You can find your certificate files in /etc/letsencrypt/live/domain1.tld/* which are symbolically linked to /etc/letsencrypt/archive/domain1.tld/. These certificates are now valid for 90 days which isn’t too long, surely you don’t want to have to log on to your server every 3 months and renew your SSL/TLS certificates. For that reason, certbot installs a cron-job in /etc/cron.d/certbot which will automatically renew your certificates based on a configuration file /etc/letsencrypt/renewal/domain1.tld.conf. You’re advised to have a look at these files and make sure they look alright.

You will see that /etc/cron.d/certbot runs the sub-command renew which luckily comes with a flag –dry-run, this can be your final test before forgetting about SSL/TLS certificates for a long time 🙂

sudo certbot --dry-run renew

The output of this should perform the DigitalOcean DNS challenge regardless of whether the certificates are due for renewal or not. Your certificates will be marked for renewal every 60 days which gives the daily cron-job /etc/cron.d/certbot more than enough time to generate new certificates for you.

Enjoy your free wildcard certificates!

 

Advertisements

2 thoughts on “Wildcard certificates with Let’s Encrypt and DigitalOcean

  1. Hi, thanks for this tutorial.
    Just an error at line `sudo bash -c “echo ‘KEY’ > /etc/letsencrypt/digitalocean_api.key”“
    It’s not only the KEY in the credentials file. The format is `dns_digitalocean_token = KEY`

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s