Letsencrypt Wildcard Certificate HowTo

After the delay of the ACMEv2 including the wildcard-endpoint [2] it finally is live today [3]. In addition to the ACME v2 requirement, requests for wildcard certificates require an DNS “TXT” record to verify control over the domain.

Just “upgraded” my certificate to an root certificate follwing these steps:
1. Upgraded my certbot

cd /opt/letsencrypt
git reset --hard
git pull

cd /opt/letsencrypt

git reset --hard

git pull

2. Requested certificate (command is based on [1])

/opt/letsencrypt/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "no3x.de" -d "*.no3x.de" --webroot-path=/var/www/html --manual certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/no3x.de.conf)

It contains these names: no3x.de

You requested these names for the new certificate: no3x.de, *.no3x.de.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for no3x.de
dns-01 challenge for no3x.de

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Create a file containing just this data:

2d_P_nGbYGw51FjBafWKwKh6ms7GUedgWmP8uek27Iw.e6ZC8rMTP4wAt3ZJqrPYTMaJDzvXkHLp8iuDc4oGyP2

And make it available on your web server at this URL:

http://no3x.de/.well-known/acme-challenge/2d_P_nGbYGw51FjBafWKwKh6ms7GUedgWmP8uek27Iw

-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.no3x.de with the following value:

loGH_nwO5z0LL2zX4IGopI0Jp0Z6H9Xx5t9AE-I2Xyw

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/no3x.de/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/no3x.de/privkey.pem
   Your cert will expire on 2018-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

/opt/letsencrypt/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "no3x.de" -d "*.no3x.de" --webroot-path=/var/www/html --manual certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

-------------------------------------------------------------------------------

You have an existing certificate that contains a portion of the domains you

requested (ref: /etc/letsencrypt/renewal/no3x.de.conf)

It contains these names: no3x.de

You requested these names for the new certificate: no3x.de, *.no3x.de.

Do you want to expand and replace this existing certificate with the new

certificate?

-------------------------------------------------------------------------------

(E)xpand/(C)ancel: E

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for no3x.de

dns-01 challenge for no3x.de

-------------------------------------------------------------------------------

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?

-------------------------------------------------------------------------------

(Y)es/(N)o: Y

-------------------------------------------------------------------------------

Create a file containing just this data:

2d_P_nGbYGw51FjBafWKwKh6ms7GUedgWmP8uek27Iw.e6ZC8rMTP4wAt3ZJqrPYTMaJDzvXkHLp8iuDc4oGyP2

And make it available on your web server at this URL:

http://no3x.de/.well-known/acme-challenge/2d_P_nGbYGw51FjBafWKwKh6ms7GUedgWmP8uek27Iw

-------------------------------------------------------------------------------

Press Enter to Continue

-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.no3x.de with the following value:

loGH_nwO5z0LL2zX4IGopI0Jp0Z6H9Xx5t9AE-I2Xyw

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/no3x.de/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/no3x.de/privkey.pem

Your cert will expire on 2018-06-12. To obtain a new or tweaked

version of this certificate in the future, simply run

letsencrypt-auto again. To non-interactively renew *all* of your

certificates, run "letsencrypt-auto renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

3. Followed the instructions to serve the HTTP challenge and added the DNS record for the DNS challenge.

4. Restarted my webserver

5. Done

Sources:

[1] https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113

[2] https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654

[3] https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

No3x

Letsencrypt Wildcard Certificate HowTo

Leave a Reply Cancel reply

Spelling error report

The following text will be sent to our editors:

Letsencrypt Wildcard Certificate HowTo

Post navigation

Leave a Reply Cancel reply

Spelling error report

The following text will be sent to our editors: