Simplifying TLS/SSL subdomain certificates using wildcards

2020-04-09

(last time edited: 2021-04-29)

tags: linux, security

I found extremely annoying having to expand or create a new certificate (in extreme cases) everytime I wanted to add a subdomain on my server. I came across a solution that simplifies and helps with this task. This solution is called DNS challenge.

Certbot

Certbot is a free, open source software tool written in Python for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS. Certbot is made by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit based in San Francisco, CA, that defends digital privacy, free speech, and innovation.

First of all stop the NGINX server otherwise Certbot won't be able to verify your domains under specific challenges.

The easiest solution is to choose DNS challenges rather than HTTP challenges, and add DNS TXT records in your host DNS settings via web.

Run Certbot with this command.

# certbot certonly --manual --preferred-challenges dns --cert-name mycert -d YOURDOMAIN.COM -d *.YOURDOMAIN.COM

Follow the instructions.

Saving debug log to /path/to/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for your_domain.com
dns-01 challenge for *.your_domain.com

NOTE The IP of this machine will be pubspancy logged as having request this certificate.
If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Yes

Please deploy a DNS TXT record under the name
_acme-challenge.your_domain.com with the following value:
d0192jsoainas09cjas09asodmasd_dsad129d0j

Before continuing, verify the record is deployed.

Please Enter to Continue

Make sure everything is set up in the DNS management of your server similar to this configuration:

TYPE NAME DATA TTL
A yourserverip 300
CNAME * yourdomain.com 300
TXT _acme-challenge "d89021dnmIOasmdasd920d2_12d1902j" 300

If everything went well that's all you gotta do. Also exists http-01 which is another layer of security to prove your ownership of the domain rather than plain simple dns-01 challenge. Both are encouraged.

Renewing certificates

Simple as it gets.

# certbot renew

Notice! Don't use the command certbot certonly to renew a certificate.

Deleting certificates

# certbot delete

Lego

Lego is a certification issuer for Let's Encrypt written in Go. More flexible than Certbot and easier to automate.

Lego comes with support for multiple datacenters. I use Vultr and they explain in this [guide] how Lego communicates with them via API.

An example to make DNS challenges work in Vultr is very simple.

#!/bin/sh

export VULTR_API_KEY=apigoeshere

export VULTR_HTTP_TIMEOUT=60
export VULTR_POLLING_INTERVAL=60
export VULTR_PROPAGATION_TIMEOUT=300
export VULTR_TTL=300

lego --dns vultr \
    -d *.yourdomain.com \
    -d yourdomain.com \
    -m admin@yourdomain.com \
    --path /etc/letsencrypt/yourdomain.com \
    --accept-tos run

Save that script and run it as root in your server. Make sure to replace e-mail, path, domains and the API key that you have activated in your server settings.

Execute the script.

Check if everything worked fine. You should see new certs in the path you specified.

# ls -l /etc/letsencrypt/yourdomain.com/certificates

-rw------- 1 root root 3173 Apr 29 06:37 _.yourdomain.com.crt
-rw------- 1 root root 1587 Apr 29 06:37 _.yourdomain.com.issuer.crt
-rw------- 1 root root  235 Apr 29 06:37 _.yourdomain.com.json
-rw------- 1 root root  227 Apr 29 06:37 _.yourdomain.com.key

The procedure to add the certificates in your NGINX block servers is the same as always.

server {
    listen 443 ssl;
    server_name yourdomain *.yourdomain.com;
    ssl_certificate /etc/letsencrypt/yourdomain.com/certificates/_.yourdomain.com.crt;
    ssl_certificate_key /etc/letsencrypt/yourdomain.com/certificates/_.yourdomain.com.key;
    location / {
        ...
        ...
    }
}

I truly recommend using Lego than Certbot.