Hutchie

Let's Encrypt and wildcard certificates

Let’s Encrypt (LE) are a non-profit Certificate Authority (CA) which issue free SSL/TLS certificates used to enable HTTPS for websites. I have used them to secure my sites for a number of years.


Does free mean bad?

Unlike some free domain or website-hosting services - LE does not have a catch, nor are they the ‘budget’ option. They provide secure, automated methods of obtaining certificates which provide the same security the certificate of any paid CA would. They are run by the non-profit Internet Security Research Group (ISRG), who want “to create a more secure and privacy-respecting Web."

Let’s Encrypt does not offer Organization Validation (OV) or Extended Validation (EV) certificates, because the issuance process cannot be automated. Most of us don’t need to worry about that, though, unless our web content is extremely sensitive (like a bank of payment portal).

Wildcard certificate?

Around March 2018, LE added the ability to issue wildcard certificates with their ACME v2 API. A standard certificate is only valid for one (sub)domain, such as hutchie.scot or sub.hutchie.scot. This would require two different, standard certificates.

Wildcard certificates, on the other hand, are valid for *.hutchie.scot - AKA, any subdomain of hutchie.scot. The catch is that issuing a wildcard certificate requires access to the DNS records of the domain to add a randomly generated secret as a TXT record. A standard certificate can be automatically issued and renewed simply by proving you can host files on the requested (sub)domain.

Issuing and renewing

We can use the certbot tool to obtain certificates from Let’s Encrypt. It’s maintained by the non-profit Electronic Frontier Foundation as an interface to Let’s Encrypt’s API. The following shell script (with email and domain replaced) will issue a wildcard certificate:

#!/bin/bash

# NOTES:
# 1. Run as sudo
# 2. This script is interactive and requires a DNS edit
# 3. You need to replace your email and domain
certbot certonly --manual \
--manual-public-ip-logging-ok \
--preferred-challenges=dns \
--email [ my email address ] \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -d *.[ my domain URL ]

This script generates a random secret which will need to be placed in a TXT DNS record for the domain. Once successful, two files will be generated in the default locations:

Note: Let’s Encrypt certificates are only valid for 90 days and they recommend you renew them every 60. Certbot cannot automate the renewal of wildcard certificates, but it may be possible if your DNS provider provides an API (such as Cloudflare).

What do I do with these certificates?

I use Apache to serve PHP sites and proxy to other applications using VirtualHosts. I find it easier to configure SSL certificates on the Apache side of things than individually per application.

I can add the following to my VirtualHost configuration(s):

SSLCertificateFile /etc/letsencrypt/live/hutchie.scot/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hutchie.scot/privkey.pem

You may have to ensure the ssl module is enabled, which can be done using a2enmod ssl on Debian systems. Rewnewal replaces the existing certificates, so there is no need to edit the Apache configuration again.

#wildcard #dns #cloudflare #certificate #ssl #let's encrypt