Wildcard Certificates with Let's Encrypt

Thu 27th May 2021 By David T. Sadler.

Currently my little bit of the internet is davidtsadler.com. However I have a few ideas for some other projects that I would like to host under a subdomain. For example at some point I want to make my source code available at git.davidtsadler.com. I also want SSL on each of the sites.

Since I'm self hosting my sites I can make use of Let's Encrypt to obtain the nessecary certificates. However I don't want the hassle of maintaing a seperate certificate for each site so I'm going with having a single wildcard certificate that will be valid for each subdomain.

Obtaining a wildcard certificate can be done with the certbot command.

$ sudo certbot certonly --manual --preferred-challenges=dns --email me@email.com --agree-tos -d "*.davidtsadler.com,davidtsadler.com"

• certonly This will obtain and save the certificate but will not install it. That is left to you.
• --manual Obtains certificates interactively.
• --preferred-challenges=dns Tells certbot that I will use the dns method to prove I own the domain name.
• --email Email address used for registration and recovery contact.
• --agree-tos Automatically agree to the terms of service.
• -d Comma seperataed list of domain names that the certificate should cover.

There are a couple of things to note with the above command. For starters I had to specifiy both *.davidtsadler and davidtsadler.com as the domains. This is because if I did not include davidtsadler.com then only subdomains would be covered by the certificate. In other words *.davidtsadler means any subdomain under davidtsadler.com but not the domain davidtsadler.com itself.

Secondaly, due to how my dns is been managed I could not have certbot automatically add the appropriate dns entries in order for it to validate the authenancy of the domain name. Instead certbot displayed the instructions needed to manually add two TXT records to my dns. Once I had done this certbot was happy that I owned the domain that the certificate would cover.

Running the certbot command results in the certificates been saved in /etc/letsencrypt/live/davidtsadler.com/

After that all I need to do is ensure that Apache has SSL support enabled and then add the below settings to my vhost file which tells Apache where to find the certificates.

SSLCertificateFile /etc/letsencrypt/live/davidtsadler.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/davidtsadler.com/privkey.pem

Now in future I can simply create the required vhost file for the new subdomain site and have it use the same certificate as the others.

Links

I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.

License

Copyright © 2021 David T. Sadler.