Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted in category Systems Software / Certificates
posted at 07. Dec '20
last updated at 11. May '21

Howto Generate Wildcard Certificate Domain

See also HOWTO for Let’s Encrypt certificate with listed subdomains.

Webroot authenticator doesn’t work with wildcard certificate:

# BAD
certbot --installer=apache --authenticator webroot -w /home/myrtana_sk/current/public -d myrtana.sk,*.myrtana.sk

The process looks like this:

root@starz:~# certbot certonly --manual -d 'myrtana.sk,*.myrtana.sk' --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/myrtana.sk-0001.conf)

It contains these names: myrtana.sk

You requested these names for the new certificate: myrtana.sk, *.myrtana.sk.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for myrtana.sk
dns-01 challenge for myrtana.sk

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.myrtana.sk with the following value:

YvPjnpkXXdEe64iXVj5vJx1g4dN4WZ2KHfRWu0xxlSA

Here add the challenge into DNS TXT record:

@   IN  CAA 0 issue "letsencrypt.org"
*.myrtana.sk. IN  CAA 0 issue "letsencrypt.org"
_acme-challenge.myrtana.sk. IN  TXT "YvPjnpkXXdEe64iXVj5vJx1g4dN4WZ2KHfRWu0xxlSA"

Then:

/etc/init.d/bind9 reload

And press Enter.

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.myrtana.sk with the following value:

Y1XkLWXTTYJy_EYcWxNu3VFI2v2SI7fN92PX56TEaaA

Here add the second challenge into DNS TXT record:

@   IN  CAA 0 issue "letsencrypt.org"
*.myrtana.sk. IN  CAA 0 issue "letsencrypt.org"
_acme-challenge.myrtana.sk. IN  TXT "YvPjnpkXXdEe64iXVj5vJx1g4dN4WZ2KHfRWu0xxlSA"
_acme-challenge.myrtana.sk. IN  TXT "Y1XkLWXTTYJy_EYcWxNu3VFI2v2SI7fN92PX56TEaaA"

Then:

/etc/init.d/bind9 reload

And press Enter.

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/myrtana.sk-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/myrtana.sk-0001/privkey.pem
   Your cert will expire on 2021-01-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

If everything is ok, you should see this. Automatic renewal is currently not possible. Definitely is possible to renew certificate using expect.

That’s all.

Add Comment