Ilyas Foo
17 March 2018
How to obtain and install letsencrypt wildcard certificate for root domain and all subdomains

Letsencrypt has finally supported wildcard certificate on the 14th March 2018. The following are the steps to get onboard as an early bird adopter.

Prerequisites

  • Access to DNS zone management of your domain
  • Letsencrypt client that supports ACMEv2 (we'll use certbot-auto)

1. Download and run the client

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help

After installing, we'll need to make sure certbot's version is at least running version 0.22.

user@webserver:~$ ./certbot-auto --version
certbot 0.22.0

2. Run certbot script

Replace yourdomain.com with yours in the following command, and run.

user@webserver:~$ ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d yourdomain.com -d *.yourdomain.com --manual --preferred-challenges dns-01 certonly

The following are interactive shell output from above command

challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for yourdomain.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:

mMa94znU7sszZJMo6XYkPGciRbzgL-dTpzkkbJhnZD8

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:

ccgZEM_mLy_VWK3CFjK3CCJXYzq1poFOX16YFgz14zY

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

Notice the important part from above is the DNS TXT record and the value proceeding it. You'll need these in the next part.

3. Set the DNS TXT record

I have cPanel to administer my zone records. Yours might be different depending on your DNS administration tool.

cpanel-dns.jpg#asset:37

Add both _acme-challenge.yourdomain.com TXT records with the values given by certbot, and then continue verification. You should get successful verification, and returned with the cert files generated.

After verified, you'll be provided with the path to your cert files.

user@webserver:/etc/letsencrypt/live/yourdomain.com$ ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

4. Install certificate in your hosting

The following depends on your hosting provider's tools. With cPanel, you can manage the SSL as the following screenshot.

cpanel-ssl.jpg#asset:39

In cPanel, you'll need the chain, certfile, and private key. Copy and paste all these information into the specified textfields.

cpanel-ssl-2.jpg#asset:40

After installing, your site is secured with the certificate. You should be able to see the domains under Subject Alternative Name in your site's cert details.

ssl-wildcard.jpg#asset:45

We're done

This is pretty much the early way to get wildcard certificate, I reckon in the near future we would probably have better and easier ways of doing it.


Update (16 Aug 2018): I've noted that we can insert two DNS txt records with the same name. Simplified this guide to reflect that.