Wildcard Let’s Encrypt with Certbot Apache Ubuntu

Wildcard Let’s Encrypt with Certbot Apache Ubuntu

Google started a campaign to make the web a safer place. So they decided to mark all websites using plain old http as “not secure”. Only websites that were using https we marked as “safe” to use.

Nobody wants to see their website marked as “not secure” because they didn’t use https. In order to remove the warning message, the website needs a SSL certification. But that costs money. Fortunately, there is a free way to SSL your website.

Let’s Encrypt comes to the rescue. Let’s Encrypt also has the same mission as Google, making the web as safer place. They are an open certificate authority (CA) who provide free digital certificates for our websites.

It’s easy to setup a wildcard SSL certificate for our domain. That way, you do not need to request a new certificate for each subdomain.

First get all the required tools

sudo apt-get update 
sudo apt-get install software-properties-common 
sudo add-apt-repository universe 
sudo add-apt-repository ppa:certbot/certbot 
sudo apt-get update 
sudo apt-get install certbot python-certbot-apache
sudo a2enmod ssl

Next, in the registar create the following

  1. custom A record @ with the value of the IP ADDRESS of the webserver
  2. custom CNAME record * with the value of @
  3. custom CNAME record www with the value of @

Request a wildcard ssl certificate for your domain from Let’s Encrpyt.
Replace example.com with your own domain.

sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns certonly

Next you will be asked a question.
Type y if you want to continue.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

Create a TXT record with the information provided after typing y.
The name is _acme-challenge and the value is the long random characters

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

Zc69N6P6Dqnr2eg3Dc0LLJBAzeOCD5aIIlrt2knBKbe

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

After pressing Enter, you are done with Let’s Encrypt.
Now to configure Apache. We’ll make all http request forward to https.

sudo vim /etc/apache2/site-available/test.example.com.conf

Edit the file to something similar.

<VirtualHost example.com:80>
   ServerName example.com
   ServerAlias www.example.com

   RewriteEngine on
   RewriteCond %{SERVER_NAME} =example.com[OR]
   RewriteCond %{SERVER_NAME} =www.example.com
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}[END,NE,R=permanent]
</VirtualHost>

Save the file then create another file for the https

sudo vim /etc/apache2/site-available/test.example.com-ssl.conf

Now setup the https for the domain

<ifmodule mod_ssl.c>
	<virtualhost example.com:443>
		ServerName example.com
		ServerAlias www.example.com
    
		ServerAdmin webmaster@example.com
		DocumentRoot /var/www/example/
    
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
    
		RewriteEngine on
		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
	</virtualhost>
</ifmodule>

Now to enable the site.

sudo a2ensite example.com-ssl.conf
sudo 

Now you’re all set. All done! Almost.

There is a limitation with using Let’s Encrypt’s SSL Certificate.
The certificates expire every 90 days.
We can create a cron job to renew the certificates

sudo crontab -e

In the crontab editor type the following to renew once a month

0 2 */5 * 1 /usr/bin/certbot renew --quiet

Save it and exit.
Now we are done!

Congratulations!!! Your site is https ready.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.