Installing Letsencrypt wildcard certificate with Debian 8 / Nginx

It is actually very simple.

1. First things first, you need to install or upgrade your certbot client, it needs to be version 0.22+. Or you can uninstall the current version and install the new version, see below

# wget https://dl.eff.org/certbot-auto
# chmod a+x ./certbot-auto
# sudo ./certbot-auto

2. Generate the certificate using the command below

# sudo ./certbot-auto certonly \
 --server https://acme-v02.api.letsencrypt.org/directory \
 --manual --preferred-challenges dns \
 -d *.domain.com -d domain.com

Note that you will need to specify both “-d *.domain.com -d domain.com” for it to include all subdomains and root domain. ACMEv2 is required for wildcard certificate, so the command uses the new URL https://acme-v02.api.letsencrypt.org/directory.

3. Create a validation TXT DNS record for your domain. Follow the wizard, it will ask you to define a TXT DNS record for your domain.

-------------------------------------------------------------------------------
 Please deploy a DNS TXT record under the name
 _acme-challenge.scm.cloudynerd.us with the following value:

XXXXXXXXX-XXXXXXXXXXXXXX

Before continuing, verify the record is deployed.
 -------------------------------------------------------------------------------
 Press Enter to Continue

4. Once the TXT record is validated, your certificate will be generated and ready to be installed with nginx. Just add these lines

listen 443;
 ssl on;
 ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

5. Restart your server and you should be good to go

Don’t forget to setup your crontab to update the certificate when it expires. Add this to your crontab

* 3,15 * * * /opt/certbot-auto -q renew  --renew-hook "/etc/init.d/nginx reload" >> /var/log/certbot-auto-renew

Enjoy

 

Leave a comment