General
This tutorial tested on Ubuntu Server 20.04 with Cloudflare for DNS Management.
Prerequisites
- Make sure you have generated API Token with specific zone and DNS read & write permission.
Create cloudflare.ini
nano /root/cf/cloudflare.ini
# Cloudflare API credentials
#dns_cloudflare_email = yourCFEmail@email.com
dns_cloudflare_api_token = yourCFAPITOKEN
sudo chmod 600 /root/cf/cloudflare.ini
Install Certbot
sudo apt install python3-virtualenv
python3 -m virtualenv certbot-env
source certbot-env/bin/activate
pip install certbot
pip install certbot certbot-dns-cloudflare
pip install --upgrade cloudflare
## Fix error `X509_V_FLAG_CB_ISSUER_CHECK`
sudo rm -rf /usr/lib/python3/dist-packages/OpenSSL
sudo pip3 install pyopenssl
sudo pip3 install pyopenssl --upgrade
pip install --upgrade certbot
pip install --upgrade pip
pip freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip install -U
sudo apt remove certbot
sudo apt autoremove
sudo apt install certbot
Generate Wild Card
certbot certonly --manual --preferred-challenges=dns --dns-cloudflare --dns-cloudflare-credentials /root/cf/cloudflare.ini -d *.domain.com
Not CF
sudo certbot certonly --manual --preferred-challenges=dns --email email@domain.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.*.domain.com
Notes
if you don't use cloudflare as the dns management, you can look for dns plugin packages for the wildcards of each provider.
ADD
If you implement an wildcard domain, you can use dynamic nginx block of server name (if you have an apps on Nginx Ingress K8s -> Just one IP Ingresses with different domain)
server {
listen 80;
server_name ~^(\w+)\.lab1\.domain\.com$;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name ~^(\w+)\.lab1\.domain\.com$;
ssl_certificate /root/cert/fullchain.pem;
ssl_certificate_key /root/cert/privkey.pem;
location / {
proxy_pass https://172.20.3.20;
proxy_set_header host $host;
}
}
- These nginx block can dynamicly expose server name
*.lab1.domain.com
on172.20.3.20
, so if you make an ingresses with new sub domain*.lab1.domain.com
on172.20.3.20
it's will automaticly expose publicly.