This documents how i've set up wildcard SSL support for my private websites (because once things are done, i tend to forget about their details).
I host these websites at Uberspace and the respective domains are registered at inwx. I'm not linked to these companies but their happy customer for years and recommend both of them as they are nerd-friendly, reliable professionals.
So, shown techniques are configured for my personal usecase but can probably be easily ported to other environments.
Let's Encrypt wildcard SSL certificates require an
ACME challenge using temporary DNS TXT
records.
acme.sh is a pure shell ACME client supporting v2 of the protocol, which is required for DNS verification. It comes with integrated renewal cronjob and built-in support for a lot of domain registrar APIs
acme.sh installs to ~/.acme.sh/
and doesn't necessarily need root privileges.
Perfect for being installed on your uberspace:
# install acme.sh
curl https://get.acme.sh | sh
Edit ~/.acme.sh/account.conf
to add your DNS API credentials as described in
the DNS provider docs.
Certificates can be created using acme.sh --issue
using some options:
--dns <NAME>
to set the DNS provider--domain "<DOMAIN>" --domain "*.<DOMAIN>"
to set the domain including wildcard subdomain support--posthook "<COMMAND>"
to set a custom command for installing the certificate after generation
Issuing a certificate will also automatically take care of expires and renewals.
For convenvient usage, create a small shell script, so you can easily add more domains using the same options:
#!/bin/bash
DOMAIN=$1
$HOME/.acme.sh/acme.sh --issue \
--dns dns_inwx \
--domain "$DOMAIN" \
--domain "*.$DOMAIN" \
--dnssleep 30 \
--post-hook "uberspace-add-certificate -k $HOME/.acme.sh/$DOMAIN/$DOMAIN.key -c $HOME/.acme.sh/$DOMAIN/$DOMAIN.cer"
Usage: acme.sh-add-domain <DOMAIN>
Example: acme.sh-add-domain "my-domain.com"
This will create certificates for the given domain, which will be automatically installed after generation and renewed when expiring.