Table of contents
In recent years, website security has become increasingly important. One of the essential components of website security is having a valid SSL/TLS certificate installed on your website. This certificate encrypts data transmitted between your website and its visitors, preventing third parties from intercepting and tampering with sensitive information.
In this blog post, we will explore how to use
Ubuntu to obtain a wildcard SSL/TLS certificate.
As a wildcard cert is meant to be used across multiple VMs for your subdomains, we will generate the wildcard certificate on a dedicated VM instead of doing it on different VMs which are running load balancers for your subdomains. This will reduce the maintenance effort of upgrading and patching
Certbotand other packages required to generate the wildcard certificate significantly.
The steps described here apply to
20.04and later versions of
These steps have been written assuming that the target root domain is
rocketcloud.ioand so you should replace
rocketcloud.iowith the name of your root domain before executing a command having reference(s) to the root domain.
What is Certbot?
Certbot is a command-line tool that helps you obtain and renew SSL/TLS certificates from
Let's Encrypt is a free, automated, and open certificate authority that offers SSL/TLS certificates at no cost.
Certbot is available for Linux, macOS, and Windows and supports Apache, Nginx, and other web servers.
Certbot makes it easy to obtain and renew SSL/TLS certificates by automating the process. It uses the
ACME (Automatic Certificate Management Environment) protocol to communicate with
Let's Encrypt and verify that you own the domain name for which you are requesting a certificate.
What is a wildcard certificate?
A wildcard certificate is a type of SSL/TLS certificate that can be used to secure multiple subdomains of a root domain. For example, a wildcard certificate issued for
*.rocketcloud.io can be used to secure
docs.rocketcloud.io etc. This can be useful if you have many subdomains and want to secure them all with a single certificate.
Certbot supports wildcard certificates, and obtaining one is similar to obtaining a regular certificate. However, wildcard certificates require an additional step of domain validation, which involves creating a DNS
TXT record for the domain name. This is because
Let's Encrypt needs to verify that you own the domain name and have control over its DNS settings.
What is Let's Encrypt?
Let's Encrypt is a free and open certificate authority that provides SSL/TLS certificates to websites.
Let's Encrypt was created to make it easier for website owners to secure their websites by providing free SSL/TLS certificates.
Let's Encrypt is supported by most web browsers, and its certificates are trusted by major operating systems and devices.
Let's Encrypt certificates are valid for 90 days, and
Certbot can automatically renew them when they are about to expire.
What is Cloudflare?
Cloudflare is a popular content delivery network (CDN) and DNS provider that helps improve website performance and security.
Cloudflare offers a free SSL/TLS certificate called
Universal SSL which is automatically generated for all websites that use Cloudflare.
Cloudflare's SSL/TLS certificate can be used in conjunction with
Let's Encrypt certificates to provide additional security. For example, you can use
Let's Encrypt to obtain a wildcard certificate for your domain and use
Cloudflare's SSL/TLS certificate to secure traffic between
Cloudflare and your web server.
Follow below steps to obtain a wildcard SSL/TLS certificate using
Step 1: SSH into the Ubuntu server
Step 2: Ensure that your version of snapd is up to date
sudo snap install core sudo snap refresh core
Step 3: Remove Certbot if it already exists (this may be the case if it was installed using apt package manager)
sudo apt-get remove certbot
Step 4: Install Certbot
Run the following command to install
sudo snap install --classic certbot
Step 5: Create a symlink for the Certbot command
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Step 6: Confirm plugin containment level
sudo snap set certbot trust-plugin-with-root=ok
Step 7: Install the Certbot Cloudflare DNS plugin
sudo snap install certbot-dns-cloudflare
This plugin is responsible for completing a
dns-01 challenge by creating and then removing a TXT record using the Cloudflare API.
Step 8: Generate a Cloudflare api token
Log in to the Cloudflare dashboard and click on My profile -> API Tokens.
Create Tokenbutton in the
Use templatebutton next to
Edit zone DNS.
Specific zonein the dropdown under
Zone Resourcessection and then the zone name in the next dropdown if you are having multiple domains and you want to restrict access of this token to a particular zone only.
(Optional) If you are always going to run these steps from the same VM then you can specify IP of this VM under
Client IP Address Filteringto make sure that this token can't be used from any VM other than this VM.
(Optional) Specify an end date to make sure that token expires by a certain date.
Step 9: Create a configuration file for the Cloudflare plugin
- Create a configuration file (e.g.
cloudflare.ini) with the following content -
dns_cloudflare_api_token = <cloudflare_api_token>
<cloudflare_api_token> in this file with the token generated in the previous step.
Step 10: Generate the certificate
certbot certonly \ --cert-name rocketcloud.io --dns-cloudflare \ --dns-cloudflare-credentials <relative_or_absolute_path_to_cloudflare.ini_file> \ -d *.rocketcloud.io
Above command will generate your certificate and associated private key in
/etc/letsencrypt/archive/rocketcloud.iofolder. You can find your certificate and associated private key in
privkey.pemfiles respectively under this folder.
It is important to supply
--cert-nameflag in the above command as this name is used for the folder name (
rocketcloud.ioin our case) which is created under
/etc/letsencrypt/archivefolder. If you skip this flag then this command will generate folders with different names (e.g.
rocketcloud.io-0001etc) every time you will run this command.
Value specified against
--cert-nameflag needs NOT to be the same as your domain name.
Step 11: Automatic renewal
Installation of Certbot package will also create a
snap.certbot.renew.timerwhich will automatically renew your certificate before it expires ( 90 days after the creation date ). This timer must be present in the output of
You can test automatic renewal by running the following command -
sudo certbot renew --dry-run
Step 12: Copy generated certificate and private key to the target VM
privkey.pemfiles to the VM where your load balancer is running, adjust the configuration of it to point to these files and restart the load balancer.
As copying our wildcard certificate to multiple VMs is a significant manual effort, we can automate this part to eliminate the manual effort. We will cover this in a separate blog post.
Did you find this article valuable?
Support MechCloud by becoming a sponsor. Any amount is appreciated!