Wildcard Let's Encrypt SSL for One-Click LAMP

Introduction

Let's Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public's benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial describes how to install a wildcard Let's Encrypt SSL certificate using certbot and lego on the Vultr One-Click LAMP app using Vultr DNS.

After completing this tutorial, the website will have a valid wildcard certificate, and the web server will redirect all HTTP requests to HTTPS. The lego method is preferred because certbot does not support automatic updates with Vultr DNS.

Prerequisite Steps

Make sure you have all of the following items complete before proceeding with this tutorial.

1. Deploy a new Vultr One-Click LAMP app (Ubuntu 18.04).

   

2. Add a domain to Vultr DNS. This tutorial will use the domain example.com and IP address 192.0.2.123. At a minimum, assuming your server is named www, your DNS will look like this:

   

3. Enable your Vultr API key.

4. Allow the IP address of your server in the API access control.

   

5. SSH to your server as root.

6. Update the server, following the Vultr best practices guide.

Install Wildcard SSL with Lego

The lego installation method allows for automatic updates. Choose this method if you plan to update your certificate before it expires each 90 days automatically.

1. Install lego.

The lego version in the Ubuntu 18.04 repository is old and does not support the DNS challenge method required for wildcard DNS.

1. Install the latest release from GitHub.

   Manually download from here:

        https://github.com/go-acme/lego/releases  

   Or, automatically download the latest:

        # curl -Ls https://api.github.com/repos/go-acme/lego/releases/latest | \
            grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | \
            wget -i -

2. Extract lego.

    # tar xf lego_v*_linux_amd64.tar.gz

3. Move lego to /usr/local/sbin.

    # mv lego /usr/local/sbin/

4. Verify lego is on your path and the correct version.

    # lego -v
    lego version 3.7.0 linux/amd64

2. Get a new certificate.

1. Retrieve your API Key from https://my.vultr.com/settings/#settingsapi

2. Create the get-cert.sh script in /usr/local/sbin.

    # nano /usr/local/sbin/get-cert.sh

3. Paste the contents below into get-cert.sh.

   • Replace the example API key with your key.

   • Replace the example email with your address.

   • Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.

        #!/bin/sh
     
        export VULTR_API_KEY=xxxx_EXAMPLE_API_KEY_xxxx
     
        export VULTR_HTTP_TIMEOUT=60
        export VULTR_POLLING_INTERVAL=60
        export VULTR_PROPAGATION_TIMEOUT=300
        export VULTR_TTL=300
     
        lego --dns vultr \
           --domains *.example.com \
           --domains example.com \
           --email admin@example.com \
           --path="/etc/letsencrypt/example.com" \
           --accept-tos run

4. Make the script executable.

    # chmod +x /usr/local/sbin/get-cert.sh

5. Run the script.

    # /usr/local/sbin/get-cert.sh

6. Verify the certificates were issued.

    # ls -l /etc/letsencrypt/example.com/certificates/
    total 16
    -rw------- 1 root root 3307 May 20 14:15 _.example.com.crt
    -rw------- 1 root root 1648 May 20 14:15 _.example.com.issuer.crt
    -rw------- 1 root root  230 May 20 14:15 _.example.com.json
    -rw------- 1 root root  288 May 20 14:15 _.example.com.key

3. Install SSL Certificate for Apache

1. Archive the existing Apache certificate.

    # mv /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.crt.old
    # mv /etc/apache2/ssl/server.key /etc/apache2/ssl/server.key.old

2. Link the Apache certificate to the Let's Encrypt certificate.

    # ln -s /etc/letsencrypt/example.com/certificates/_.example.com.crt /etc/apache2/ssl/server.crt
    # ln -s /etc/letsencrypt/example.com/certificates/_.example.com.key /etc/apache2/ssl/server.key

3. Restart Apache.

    # service apache2 restart

4. Navigate to your website in a browser and verify that the certificate is correct and issued to the wildcard domain name.

   

Set up automatic certificate renewal

1. Retrieve your API Key from https://my.vultr.com/settings/#settingsapi

2. Create the renew-cert.sh script in /usr/local/sbin.

    # nano /usr/local/sbin/renew-cert.sh

3. Paste the contents below into renew-cert.sh.

   • Replace the example API key with your own.

   • Replace the example email address and domain names with your own.

        #!/bin/sh
     
        export VULTR_API_KEY=xxxx_EXAMPLE_API_KEY_xxxx
     
        export VULTR_HTTP_TIMEOUT=60
        export VULTR_POLLING_INTERVAL=60
        export VULTR_PROPAGATION_TIMEOUT=300
        export VULTR_TTL=300
     
        lego --dns vultr \
           --domains *.example.com \
           --domains example.com \
           --email admin@example.com \
           --path="/etc/letsencrypt/example.com" \
           --accept-tos renew

4. Make the script executable.

    # chmod +x /usr/local/sbin/renew-cert.sh

5. Edit the crontab.

    # crontab -e

6. Add the following line to crontab. Adjust the schedule as needed. The following example will run at 04:05 a.m. each Monday.

    5 4 * * 1 /usr/local/sbin/renew-cert.sh 2> /dev/null

Summary

You have completed wildcard SSL installation using lego. Your server will automatically check the certificate each Monday and renew the certificate before it expires.

Install Wildcard SSL with Certbot

The certbot procedure is manual. Automatic renewal with certbot is not possible with Vultr DNS. If you want to renew automatically, the Lego method is preferred.

1. Install certbot

Install certbot with apt.

# apt update && apt install certbot -y

2. Request Wildcard Certificate

Run certbot with the certonly and --manual options. Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.

# certbot certonly --manual \
     -d *.example.com \
     -d example.com \
     -m admin@example.com \
     --preferred-challenges dns --agree-tos \
     --no-eff-email --manual-public-ip-logging-ok

The certbot wizard will print instructions to add a TXT record to your domain's DNS. For example:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

The certbot wizard will pause at this point. Do not press Enter until you've completed the DNS steps below.

Use a web browser to:

• Navigate to your DNS provider.
• Add the TXT record shown by certbot to your domain's DNS.

Test that the TXT record is propagated properly. Popular ways to test the TXT record include dig and the dnschecker.org website. Replace example.com with your name in these examples:

• To test with dig, open another terminal window and lookup the domain record, replacing example.com with your domain. Verify that the value returned is correct.

    # dig +short TXT _acme-challenge.example.com
    "U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914"

• To use dnschecker.org, navigate to the URL, replacing example.com with your domain. Verify that the value returned is correct.

    https://dnschecker.org/#TXT/_acme-challenge.example.com

  

In the propagation test, when you see the correct TXT record, return to the certbot wizard and press Enter to continue. If the certificate challenge succeeds, certbot will report the location of the new certificate files.

...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem

3. Install Certificate for Apache

Archive the existing Apache certificate.

# mv /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.crt.old
# mv /etc/apache2/ssl/server.key /etc/apache2/ssl/server.key.old

Link the Let's Encrypt certificate where Apache expects to find it.

# ln -s /etc/letsencrypt/live/example.com/fullchain.pem /etc/apache2/ssl/server.crt
# ln -s /etc/letsencrypt/live/example.com/privkey.pem /etc/apache2/ssl/server.key

Restart Apache.

# service apache2 restart

Using a web browser, navigate to your website, and verify the certificate is correct.

Summary

You have completed wildcard SSL installation using certbot. You will need to renew the certificate before it expires manually.