How to Issue a Wildcard Let's Encrypt SSL Certificate
Securing multiple subdomains is essential for modern websites. A wildcard SSL certificate is an efficient way to achieve this. In this guide, we’ll show you how to issue a wildcard Let's Encrypt SSL certificate.
What is a Wildcard SSL Certificate?
A wildcard SSL certificate secures a domain and all its subdomains. For example, a wildcard certificate for *.example.com will cover:
example.comwww.example.comblog.example.comshop.example.com
Why Use Let's Encrypt for Wildcard Certificates?
Let's Encrypt provides free SSL certificates. It automates the process of certificate issuance and renewal. Using Let's Encrypt for wildcard certificates is cost-effective and straightforward.
Requirements for Issuing a Wildcard SSL Certificate
To issue a wildcard SSL certificate with Let's Encrypt, you need:
- A domain name.
- Access to DNS settings for the domain.
- Certbot, the Let's Encrypt client.
Step-by-Step Guide to Issue a Wildcard SSL Certificate
Step 1: Install Certbot
First, install Certbot. This tool automates the process of obtaining and renewing Let's Encrypt SSL certificates.
For Ubuntu, use the following commands:
sudo apt update
sudo apt install certbot
Step 2: Install the DNS Plugin
Certbot uses plugins to perform DNS-01 challenges. For wildcard certificates, you need a DNS plugin. Install the plugin for your DNS provider. For example, for Cloudflare:
sudo apt install python3-certbot-dns-cloudflare
Step 3: Configure DNS Plugin
Set up the DNS plugin by creating a credentials file. For Cloudflare, it might look like this:
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN
Save this file securely, and restrict its permissions:
chmod 600 /path/to/credentials.ini
Step 4: Obtain the Wildcard Certificate
Run Certbot with the DNS plugin to obtain the certificate:
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /path/to/credentials.ini \
-d '*.example.com' \
-d 'example.com'
Replace *.example.com and example.com with your actual domain.
Step 5: Verify the Certificate
After running Certbot, your certificates should be saved in /etc/letsencrypt/live/yourdomain. Verify the files:
sudo ls /etc/letsencrypt/live/yourdomain/
You should see fullchain.pem, privkey.pem, and other certificate files.
Automate Certificate Renewal
Let's Encrypt certificates are valid for 90 days. Automate the renewal process with a cron job. Open the crontab editor:
sudo crontab -e
Add the following line to renew certificates and reload the web server:
0 0,12 * * * certbot renew --quiet && systemctl reload nginx
This cron job runs twice daily to check for renewal.
Integrate the Certificate with Your Web Server
For Nginx
Update your Nginx configuration to use the new certificate. Edit the server block for your domain:
server {
listen 443 ssl;
server_name example.com *.example.com;
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
# other settings...
}
Reload Nginx to apply the changes:
sudo systemctl reload nginx
For Apache
Edit your Apache configuration file:
<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem
# other settings...
</VirtualHost>
Reload Apache:
sudo systemctl reload apache2
Enhance Your Network with Akmatori
Securing your subdomains with a wildcard SSL certificate is a great step. To further optimize your network, try Akmatori. Akmatori is a global, distributed TCP/UDP load balancer designed for high performance. It simplifies complex network setups and ensures reliability.
Conclusion
Issuing a wildcard Let's Encrypt SSL certificate is straightforward with Certbot. This guide covered installing Certbot, configuring DNS plugins, obtaining the certificate, and integrating it with your web server. For an advanced load-balancing solution, consider Akmatori.