Wildcard Certificates with Let's Encrypt

by Michael Urspringer - 16.03.2018

Let's Encrypt now has the possibility to create wildcard certificates which makes things much easier if you are hosting many different sites or servers with the same domain which all need SSL certificates. Here I will describe how to implement that.

I am using the Dehydrated client and BIND as my DNS server. Wildcard certificates are only supported with the DNS-01 challenge type. This means that you’ll need to be able to modify DNS TXT records for your domains.

First clone the Dehydrated client from Github:

You can specify most of the configuration option via the command line. However if you want to use the Let's encrypt staging environment first for testing (recommended!) then you need to specify the correct URL. Create a new file named "config" in the "dehydrated" directory with the following content:

You can just comment out that line later if you want to use the production environment if your tests are successful.

You also need a hook script so that the Dehydrated client is able to add the needed entries to your DNS server. Here is the script I am using which modifies my BIND configuration via the NSUPDATE command. You will need to specify the path to your keyfile which is used to get access to your BIND server. For more information how to implement access via NSUPDATE you can check this article. Save the following script as "hook.sh" in the "dehydrated" directory and make it executable with "chmod +x hook.sh":

In line 25 you need to specify the path to your key file which you created for dynamic BIND updates. And in line 29 you need to specify the IP or host name of your BIND DNS server.

Now you need first to register an account with Let's Encrypt. This is needed only one time (for both the staging and the production environment of Let's Encrypt). You do that with the following command:

As a result you should see something like that:

In the "accounts" directory you will now find a sub-directory with your registration key and information.

Now you are ready to create your first wildcard certificate. Run the following command (change the "acme.com" domain below to your domain for which you want to create a certificate and the path "/root/dehydrated" to the path where you cloned the Dehydrated client):

Please note that you also should also include your domain without the "*." as SAN (Subject Alternative Name) into the certificate, otherwise you will not be able to use "https://acme.com" with your certificate!

You should see an output like the following:

The number of tries for the DNS propagation depends on how fast the change to your BIND server will be propagated to the outside world. The kook script checks three different external DNS servers and all of them needs to respond to the DNS challenge correctly.

As a result you now should have the certificate files in the directory "certs/_wildcard.acme.com":

You can then use the certificate e.g. in your Apache web server by including the following lines in your SSL section:

In the "config" file you can specify where the Dehydrated client will store the generated certificates. Just add the following lines to your "config" file:

The certificate is valid for three months. So you need to run that task on a regular basis. I am running it every day. As long as the certificate is valid at least 30 days, nothing will happen. Otherwise a new certificate will be generated (and you you need to restart your application e.g. Apache, in order to activate it). The time frame of 30 days can be changed by adding the following lines to "config":

There are some more options in the config file. You will find a documented sample file under "docs/examples/config" in the "dehydrated" directory.

Sometime you will need to have the certificate in the PKCS12 format. You can use the following OpenSSL command to create such a file:

If you are also using the DANE protcol, then you can generate the necessary DNS entry (for 3 1 1) with the following command:

You will get then something like that:

As you do not want to change the TLSA records every time a certificate renewal takes place, you need to configure Dehydrated to re-use the private key while issuing a new certificate by adding these lines to the "config" file:

Keep in mind that it is still recommended to change that key from time to time for security reasons. However I would say it is not needed to do that every three months (one time a year should be ok as well).

By the way: You can use the same procedure from above to create non-wildcard domains for just one site/server. Although in this case you might also use the "HTTP-01" challenge mechanism which does also work without access to your DNS server.


Tagged with:  

2 Responses to Wildcard Certificates with Let's Encrypt

  1. Alvaro Mendes says:

    I liked the article. He had already tried to implement and had not found. Thank you!

  2. Thanks, Alvaro. Great that it was helpful for you!

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2000-2018 Michael Urspringer
Website Security Test