Why would you want a wildcard certificate? The biggest reason may be for security, as HSTS preloading requires a wildcard cert. It can also help you secure internal infrastructure which is not available to the public internet and you still want to use TLS encryption, having a wildcard certificate will make this easy.
Requirements
- Port 80 and 443 open with an active web server
- Root level access to the operating system running the web server
- Ability to pass the ACME challenge by using txt DNS records. (using the DNS plugins with the certonly command will automate this)
Useful Notes
* You cannot use the automatic installation of certificates when creating a wildcard cert. You must use the certonly option when creating a wildcard cert with the dns plugin.
How To
This is a sort of general guide, I will not be going super in depth in this documentation but will provide links to documentation that go more in depth.
I will be using the Apache web server, and Cloudflare for DNS. You may be using something different; this should still generally apply as long as Certbot supports.
- Follow the instructions for your web server, system and the wildcard option. This involves installing snapd and the Certbot snapd package.
Certbot Instructions | Certbot - Once you get to the “Install correct DNS plugin” step, follow the instructions to download your respective DNS plugin.
DNS Plugins — Certbot 3.1.0 documentation - For automatic renewal to work you need to set up a config file that contains the API key for your DNS provider. This may be different per provider.
- Once you have your DNS plugin set up and Certbot installed, make a bash script file which contains a certonly command compatible with your respective DNS plugin and domain (I provide my example in the image below). There should be other examples in the docs for your respective DNS plugin.
- Once you execute the command, your certificate will be stored in the /etc/letsencrypt/live/example.com directory
- You can then use these certificates on any web service which you access through your domain or subdomains. Just follow guides for enabling installing the certificates on the respective web services.
Here are a few links to documentation to enable certs on web services.
– SSL/TLS Strong Encryption: How-To – Apache HTTP Server Version 2.4
– Certificate Management – Proxmox VE
– Configuring SSL certificates on the Wazuh dashboard using Let’s Encrypt (You can skip to the part where you edit the config file to point to your certificate files since you have already generated them)
Since the renewal process is done on the device which you generated the certificates on, I would suggest creating some sort of automation script to move and update your certs for all other infrastructure that needs it.
Leave a Reply