Installation and Usage of Certbot on CentOS to Obtain a Let’s Encrypt Wildcard TLS/SSL Certificate.

centos-wildcard-certbot.md

Requesting a Wildcard Certificate with Certbot on CentOS

To request a Let's Encrypt wildcard certificate there are the following prerequisites:

• The client must support ACME v2 (i.e Certbot >= 0.22.0)
• The DNS-01 challenge type must be used.
• The --server option or configuration directive must be changed to the appropriate v2 endpoint.

Installation

Install certbot-auto

# mkdir -p /opt/{bin,certbot/bin} \
  && curl -sS \
    -o /opt/certbot/bin/certbot-auto \
    https://dl.eff.org/certbot-auto \
  && chmod 711 /opt/certbot/bin/certbot-auto \
  && ln -sf \
    /opt/certbot/bin/certbot-auto \
    /opt/bin/certbot-auto

Add /opt/bin to PATH

# cat > /etc/profile.d/add-opt-bin-path.sh <<-EOT
	#!/usr/bin/env bash

	pathmunge /opt/bin

EOT

Source the profile

# source /etc/profile

Install certbot

# certbot-auto -nq

Usage

This method is useful if generating certificates on a server other than the target host.

Note: This will make a request to the staging server, when ready to request from the live, (rate limited), service you should change to the production server endpoint: https://acme-v02.api.letsencrypt.org/directory.

Note: The --server option conflicts with both --test-cert and --staging options but warnings are restricted to the --staging option with the error: --server value conflicts with --staging.

# certbot-auto certonly \
  --server https://acme-staging-v02.api.letsencrypt.org/directory \
  --agree-tos \
  --preferred-challenges dns \
  --domains *.example.com \
  --email webmaster@example.com \
  --manual \
  --manual-public-ip-logging-ok \
  --no-eff-email \
  --text

Apache installation

Link Live Certificates to Apache Certificate File Paths

Either update the VirtualHost paths for SSLCertificateChainFile, SSLCertificateKeyFile and SSLCertificateFile to /etc/letsencrypt/live/www.example.com/chain.pem, /etc/letsencrypt/live/www.example.com/privkey.pem and /etc/letsencrypt/live/www.example.com/fullchain.pem directly or create symbolic links from the existing paths to the Let's Encrypt live certificate files.

The SSLCertificateChainFile shouldn't be necessary when using the full chain in the SSLCertificateFile but without this SSL fails after renewal with an error "This server’s certificate chain is incomplete".

# mkdir -p \
    /var/www/ssl/www.example.com \
  && ln -sf \
    /etc/letsencrypt/live/www.example.com/chain.pem \
    /var/www/ssl/www.example.com/chain.pem \
  && ln -sf \
    /etc/letsencrypt/live/www.example.com/privkey.pem \
    /var/www/ssl/www.example.com/privkey.pem \
  && ln -sf \
    /etc/letsencrypt/live/www.example.com/fullchain.pem \
    /var/www/ssl/www.example.com/fullchain.pem

Reload Apache

# apachectl graceful

Renewing certificates

The renew sub-command can be run periodically, (twice a day is recommended), via cron or a systemd timer.

# certbot-auto renew \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --manual-auth-hook true \
  --quiet \
  --no-self-upgrade \
  --post-hook "apachectl graceful"

Example crontab entry

The following example will run the renew sub-command at 05:27 and 21:27 daily.

27 5,21 * * * /opt/bin/certbot-auto renew --server https://acme-v02.api.letsencrypt.org/directory --manual-auth-hook true --quiet --no-self-upgrade --post-hook "apachectl graceful" >> /var/log/certbot.log 2>&1

References

• https://certbot.eff.org/docs/using.html#user-guide
• https://github.com/certbot/certbot
• https://letsencrypt.org
• https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605
• https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
• https://community.letsencrypt.org/t/certbot-the-currently-selected-acme-ca-endpoint-does-not-support-issuing-wildcard-certificates/55667