Table of contents
- What is Certbot?
- What is a wildcard certificate?
- What is Let's Encrypt?
- What is Cloudflare?
- Steps
- Step 1: SSH into the Ubuntu server
- Step 2: Ensure that your version of snapd is up to date
- Step 3: Remove Certbot if it already exists (this may be the case if it was installed using apt package manager)
- Step 4: Install Certbot
- Step 5: Create a symlink for the Certbot command
- Step 6: Confirm plugin containment level
- Step 7: Install the Certbot Cloudflare DNS plugin
- Step 8: Generate a Cloudflare api token
- Step 9: Create a configuration file for the Cloudflare plugin
- Step 10: Generate the certificate
- Step 11: Automatic renewal
- Step 12: Copy generated certificate and private key to the target VM
In recent years, website security has become increasingly important. One of the essential components of website security is having a valid SSL/TLS certificate installed on your website. This certificate encrypts data transmitted between your website and its visitors, preventing third parties from intercepting and tampering with sensitive information.
In this blog post, we will explore how to use Certbot
, Let's Encrypt
, Cloudflare
and Ubuntu
to obtain a wildcard SSL/TLS certificate.
As a wildcard cert is meant to be used across multiple VMs for your subdomains, we will generate the wildcard certificate on a dedicated VM instead of doing it on different VMs which are running load balancers for your subdomains. This will reduce the maintenance effort of upgrading and patching
Certbot
and other packages required to generate the wildcard certificate significantly.The steps described here apply to
20.04
and later versions ofUbuntu
.These steps have been written assuming that the target root domain is
rocketcloud.io
and so you should replacerocketcloud.io
with the name of your root domain before executing a command having reference(s) to the root domain.
What is Certbot?
Certbot
is a command-line tool that helps you obtain and renew SSL/TLS certificates from Let's Encrypt
. Let's Encrypt
is a free, automated, and open certificate authority that offers SSL/TLS certificates at no cost. Certbot
is available for Linux, macOS, and Windows and supports Apache, Nginx, and other web servers.
Certbot
makes it easy to obtain and renew SSL/TLS certificates by automating the process. It uses the ACME
(Automatic Certificate Management Environment) protocol to communicate with Let's Encrypt
and verify that you own the domain name for which you are requesting a certificate.
What is a wildcard certificate?
A wildcard certificate is a type of SSL/TLS certificate that can be used to secure multiple subdomains of a root domain. For example, a wildcard certificate issued for *.rocketcloud.io
can be used to secure blog.rocketcloud.io
, docs.rocketcloud.io
etc. This can be useful if you have many subdomains and want to secure them all with a single certificate.
Certbot
supports wildcard certificates, and obtaining one is similar to obtaining a regular certificate. However, wildcard certificates require an additional step of domain validation, which involves creating a DNS TXT record
for the domain name. This is because Let's Encrypt
needs to verify that you own the domain name and have control over its DNS settings.
What is Let's Encrypt?
Let's Encrypt
is a free and open certificate authority that provides SSL/TLS certificates to websites. Let's Encrypt
was created to make it easier for website owners to secure their websites by providing free SSL/TLS certificates.
Let's Encrypt
is supported by most web browsers, and its certificates are trusted by major operating systems and devices. Let's Encrypt
certificates are valid for 90 days, and Certbot
can automatically renew them when they are about to expire.
What is Cloudflare?
Cloudflare
is a popular content delivery network (CDN) and DNS provider that helps improve website performance and security. Cloudflare
offers a free SSL/TLS certificate called Universal SSL
which is automatically generated for all websites that use Cloudflare.
Cloudflare
's SSL/TLS certificate can be used in conjunction with Let's Encrypt
certificates to provide additional security. For example, you can use Let's Encrypt
to obtain a wildcard certificate for your domain and use Cloudflare
's SSL/TLS certificate to secure traffic between Cloudflare
and your web server.
Follow below steps to obtain a wildcard SSL/TLS certificate using Certbot
, Let's Encrypt
, Cloudflare
and Ubuntu
-
Steps
Step 1: SSH into the Ubuntu server
Step 2: Ensure that your version of snapd is up to date
sudo snap install core
sudo snap refresh core
Step 3: Remove Certbot if it already exists (this may be the case if it was installed using apt package manager)
sudo apt-get remove certbot
Step 4: Install Certbot
Run the following command to install Certbot
-
sudo snap install --classic certbot
Step 5: Create a symlink for the Certbot command
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Step 6: Confirm plugin containment level
sudo snap set certbot trust-plugin-with-root=ok
Step 7: Install the Certbot Cloudflare DNS plugin
sudo snap install certbot-dns-cloudflare
This plugin is responsible for completing a dns-01
challenge by creating and then removing a TXT record using the Cloudflare API.
Step 8: Generate a Cloudflare api token
Log in to the Cloudflare dashboard and click on My profile -> API Tokens.
Click on
Create Token
button in theAPI Tokens
section.Click on
Use template
button next toEdit zone DNS
.(Optional) Select
Specific zone
in the dropdown underZone Resources
section and then the zone name in the next dropdown if you are having multiple domains and you want to restrict access of this token to a particular zone only.(Optional) If you are always going to run these steps from the same VM then you can specify IP of this VM under
Client IP Address Filtering
to make sure that this token can't be used from any VM other than this VM.(Optional) Specify an end date to make sure that token expires by a certain date.
Step 9: Create a configuration file for the Cloudflare plugin
- Create a configuration file (e.g.
cloudflare.ini
) with the following content -
dns_cloudflare_api_token = <cloudflare_api_token>
Replace <cloudflare_api_token>
in this file with the token generated in the previous step.
Step 10: Generate the certificate
certbot certonly \
--cert-name rocketcloud.io
--dns-cloudflare \
--dns-cloudflare-credentials <relative_or_absolute_path_to_cloudflare.ini_file> \
-d *.rocketcloud.io
Above command will generate your certificate and associated private key in
/etc/letsencrypt/archive/rocketcloud.io
folder. You can find your certificate and associated private key incert.pem
andprivkey.pem
files respectively under this folder.It is important to supply
--cert-name
flag in the above command as this name is used for the folder name (rocketcloud.io
in our case) which is created under/etc/letsencrypt/archive
folder. If you skip this flag then this command will generate folders with different names (e.g.rocketcloud.io-0001
etc) every time you will run this command.Value specified against
--cert-name
flag needs NOT to be the same as your domain name.
Step 11: Automatic renewal
Installation of Certbot package will also create a
systemd
timer withUNIT
name assnap.certbot.renew.timer
which will automatically renew your certificate before it expires ( 90 days after the creation date ). This timer must be present in the output ofsystemctl list-timers
command.You can test automatic renewal by running the following command -
sudo certbot renew --dry-run
Step 12: Copy generated certificate and private key to the target VM
Copy
cert.pem
andprivkey.pem
files to the VM where your load balancer is running, adjust the configuration of it to point to these files and restart the load balancer.As copying our wildcard certificate to multiple VMs is a significant manual effort, we can automate this part to eliminate the manual effort. We will cover this in a separate blog post.