sylvaindurand.org

Wildcard certificates with Let’s Encrypt

Launched in late 2015, Let’s Encrypt is a public benefit organization which democratized the use of HTTPS by providing free SSL certificates with an automated validation system.

After several months of testing, Let's Encrypt has launched the second version of its client (ACME v2) with a highly anticipated feature : you can obtain wildcard certificates, valid for all subdomains of one domain.

This possibility is particularly interesting when using many subdomains: so far, it was necessary to issue a new certificate to add a new subdomain, or to delete an old one. Here, a simple `*.domain.tld` is enough!

Installation

To get our certificates, we will use the `certbot` client. The site offers several installation methods depending on your platform. On Debian, you can simply use:

sudo apt-get install certbot

Issuing a certificate manually

Be careful, if you want a certificate for both the domain root (`domain.tld`) and its subdomains (`*.domain.tld`), both must be specified. With the `-d` parameter, it is possible to list the desired domains and subdomains:

sudo letsencrypt certonly --manual --preferred-challenges dns --register -d domain.tld -d *.domain.tld

Let's encrypt will now have to ask us to prove that we have control over the domain names requested. It will request the creation of a specific TXT record in the DNS zone of the domain name, which can be done from your registar:

----------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.domain.tld with the following value:

c81US66r6JVk1LwyFHbzINQvIU_m5gJWXgcUm8Qj2

Before continuing, verify the record is deployed.
----------------------------------------------------
Press Enter to Continue

Two TXT records will be requested for the same domain, it is completely normal (for both `domain.tld` and `*.domain.tld`).

Once created, the certificate is located in `/etc/letsencrypt/live/domain.tld`.

This certificate cannot be renewed automatically: it is necessary, as it approaches its expiration, to renew the step.

Automated request: example with OVH

Fortunately, there are plugins to `certbot` allowing to automatically request certificates, which take care of modifying the DNS themselves to proceed with the validation. For example, under Debian, the following packages are provided:

# apt-cache search certbot-dns
python3-certbot-dns-cloudflare
python3-certbot-dns-digitalocean
python3-certbot-dns-dnsimple
python3-certbot-dns-gandi
python3-certbot-dns-gehirn
python3-certbot-dns-google
python3-certbot-dns-linode
python3-certbot-dns-ovh
python3-certbot-dns-rfc2136
python3-certbot-dns-route53
python3-certbot-dns-sakuracloud

Depending on your registrar, you can find documentation on their API and how to set up renewal. I am an OVH customer:

sudo apt-get install python3-certbot-dns-ovh

Then we go on `https://eu.api.ovh.com/createToken/` to create a token in link with his account (be careful, we have to indicate his login of type `xx00000-ovh` and not his email address) with the following rules:

GET /domain/zone/*
PUT /domain/zone/*
POST /domain/zone/*
DELETE /domain/zone/*

We get the generated data to create the file :

#/root/.ovh.ini
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key =
dns_ovh_application_secret =
dns_ovh_consumer_key =

We give it restricted rights, and then we can create a certificate:

sudo chmod 600 /root/.ovh.ini
sudo certbot certonly --dns-ovh --dns-ovh-credentials /root/.ovh.ini -d "domain.tld" -d "*.domain.tld"