How to generate a Let's Encrypt wildcard certificate using Certbot on Ubuntu

How to generate a Let's Encrypt wildcard certificate using Certbot on Ubuntu

Shailendra Singh's photo
·

6 min read

In recent years, website security has become increasingly important. One of the essential components of website security is having a valid SSL/TLS certificate installed on your website. This certificate encrypts data transmitted between your website and its visitors, preventing third parties from intercepting and tampering with sensitive information.

In this blog post, we will explore how to use Certbot, Let's Encrypt, Cloudflare and Ubuntu to obtain a wildcard SSL/TLS certificate.

  • As a wildcard cert is meant to be used across multiple VMs for your subdomains, we will generate the wildcard certificate on a dedicated VM instead of doing it on different VMs which are running load balancers for your subdomains. This will reduce the maintenance effort of upgrading and patching Certbot and other packages required to generate the wildcard certificate significantly.

  • The steps described here apply to 20.04 and later versions of Ubuntu.

  • These steps have been written assuming that the target root domain is rocketcloud.io and so you should replace rocketcloud.io with the name of your root domain before executing a command having reference(s) to the root domain.

What is Certbot?

Certbot is a command-line tool that helps you obtain and renew SSL/TLS certificates from Let's Encrypt. Let's Encrypt is a free, automated, and open certificate authority that offers SSL/TLS certificates at no cost. Certbot is available for Linux, macOS, and Windows and supports Apache, Nginx, and other web servers.

Certbot makes it easy to obtain and renew SSL/TLS certificates by automating the process. It uses the ACME (Automatic Certificate Management Environment) protocol to communicate with Let's Encrypt and verify that you own the domain name for which you are requesting a certificate.

What is a wildcard certificate?

A wildcard certificate is a type of SSL/TLS certificate that can be used to secure multiple subdomains of a root domain. For example, a wildcard certificate issued for *.rocketcloud.io can be used to secure blog.rocketcloud.io, docs.rocketcloud.io etc. This can be useful if you have many subdomains and want to secure them all with a single certificate.

Certbot supports wildcard certificates, and obtaining one is similar to obtaining a regular certificate. However, wildcard certificates require an additional step of domain validation, which involves creating a DNS TXT record for the domain name. This is because Let's Encrypt needs to verify that you own the domain name and have control over its DNS settings.

What is Let's Encrypt?

Let's Encrypt is a free and open certificate authority that provides SSL/TLS certificates to websites. Let's Encrypt was created to make it easier for website owners to secure their websites by providing free SSL/TLS certificates.

Let's Encrypt is supported by most web browsers, and its certificates are trusted by major operating systems and devices. Let's Encrypt certificates are valid for 90 days, and Certbot can automatically renew them when they are about to expire.

What is Cloudflare?

Cloudflare is a popular content delivery network (CDN) and DNS provider that helps improve website performance and security. Cloudflare offers a free SSL/TLS certificate called Universal SSL which is automatically generated for all websites that use Cloudflare.

Cloudflare's SSL/TLS certificate can be used in conjunction with Let's Encrypt certificates to provide additional security. For example, you can use Let's Encrypt to obtain a wildcard certificate for your domain and use Cloudflare's SSL/TLS certificate to secure traffic between Cloudflare and your web server.

Follow below steps to obtain a wildcard SSL/TLS certificate using Certbot, Let's Encrypt, Cloudflare and Ubuntu -

Steps

Step 1: SSH into the Ubuntu server

Step 2: Ensure that your version of snapd is up to date

sudo snap install core
sudo snap refresh core

Step 3: Remove Certbot if it already exists (this may be the case if it was installed using apt package manager)

sudo apt-get remove certbot

Step 4: Install Certbot

Run the following command to install Certbot -

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 6: Confirm plugin containment level

sudo snap set certbot trust-plugin-with-root=ok

Step 7: Install the Certbot Cloudflare DNS plugin

sudo snap install certbot-dns-cloudflare

This plugin is responsible for completing a dns-01 challenge by creating and then removing a TXT record using the Cloudflare API.

Step 8: Generate a Cloudflare api token

  • Log in to the Cloudflare dashboard and click on My profile -> API Tokens.

  • Click on Create Token button in the API Tokens section.

  • Click on Use template button next to Edit zone DNS.

  • (Optional) Select Specific zone in the dropdown under Zone Resources section and then the zone name in the next dropdown if you are having multiple domains and you want to restrict access of this token to a particular zone only.

  • (Optional) If you are always going to run these steps from the same VM then you can specify IP of this VM under Client IP Address Filtering to make sure that this token can't be used from any VM other than this VM.

  • (Optional) Specify an end date to make sure that token expires by a certain date.

Step 9: Create a configuration file for the Cloudflare plugin

  • Create a configuration file (e.g. cloudflare.ini) with the following content -
dns_cloudflare_api_token = <cloudflare_api_token>

Replace <cloudflare_api_token> in this file with the token generated in the previous step.

Step 10: Generate the certificate

certbot certonly \
  --cert-name rocketcloud.io
  --dns-cloudflare \
  --dns-cloudflare-credentials <relative_or_absolute_path_to_cloudflare.ini_file> \
  -d *.rocketcloud.io
  • Above command will generate your certificate and associated private key in /etc/letsencrypt/archive/rocketcloud.io folder. You can find your certificate and associated private key in cert.pem and privkey.pem files respectively under this folder.

  • It is important to supply --cert-name flag in the above command as this name is used for the folder name (rocketcloud.io in our case) which is created under /etc/letsencrypt/archive folder. If you skip this flag then this command will generate folders with different names (e.g. rocketcloud.io-0001 etc) every time you will run this command.

  • Value specified against --cert-name flag needs NOT to be the same as your domain name.

Step 11: Automatic renewal

  • Installation of Certbot package will also create a systemd timer with UNIT name as snap.certbot.renew.timer which will automatically renew your certificate before it expires ( 90 days after the creation date ). This timer must be present in the output of systemctl list-timers command.

  • You can test automatic renewal by running the following command -

sudo certbot renew --dry-run

Step 12: Copy generated certificate and private key to the target VM

  • Copy cert.pem and privkey.pem files to the VM where your load balancer is running, adjust the configuration of it to point to these files and restart the load balancer.

  • As copying our wildcard certificate to multiple VMs is a significant manual effort, we can automate this part to eliminate the manual effort. We will cover this in a separate blog post.