talyguryn/wildcard-ssl-certificate.md

## wildcard-ssl-certificate.md

      
    Raw
  

              wildcard-ssl-certificate.md
            
          
    How to get and install a wildcard SSL certificate

In this guide you can find how to resolve the following issues.

request a new certificate
set up Nginx to enable your certificate
check SSL configuration rating on your HTTPS site
renew a certificate

Feel free to ask any questions in the comments section below.
Request a new certificate

Get certbot

Go to any directory and clone repo with sources.
cd ~
git clone https://github.com/certbot/certbot
Directory certbot will be created.
Request a certificate

Put a domain name into a variable.
DOMAIN=example.com
Go to certbot's directory
cd certbot
Request a certificate for your domains. You don't need to edit this command
./certbot-auto certonly --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email --rsa-key-size 4096
You will see a block with value for a new DNS record.
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

qqiR_lsa2AjMfoVR16mH4UDbOxy_E02l0K1CNyz1RdI

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Open a DNS panel for you domain name and add a new TXT record. Then go back to the terminal and press Enter. You will be asked to add another one record.
Vscale Panel for example:

Before pressing Enter the second time you can check if records were deployed. Open a new terminal window and run the following command.
host -t txt _acme-challenge.example.com
You will see a response from the DNS with your values.
_acme-challenge.example.com descriptive text "qqiR_lsa2AjMfoVR16mH4UDbOxy_E02l0K1CNyz1RdI"
_acme-challenge.example.com descriptive text "oMmMa-fDLlebdUhvhMD5MinJ2EeFpdP0F9lUPTShh4w"
If these records are correct then press Enter and see the result of issuing.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-06-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Congratulations. You have got a new wildcard certificate for your domain (example.com) and its second-level subdomains (*.example.com).
Set up Nginx

Now we need to add a new snippet with ssl-params.
Go to snippets directory and create a new one.
cd /etc/nginx/snippets
nano ssl.conf
Add the following lines, save and exit the editor (Ctrl+X, Y, Enter).
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
Then you have to create a directory for certificates snippets.
mkdir certs
cd certs
Create a new file that will hold certificate's params.
nano example.com
Add paths to the wildcard certificate.
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
Usage

Now you have to include params in site's config.
Separated http and https servers

server {
    # Listen default port for http
    listen 80;

    # Server name for this config
    server_name example.com;

    # Force redirect to https
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    # Listen https connections
    listen 443 ssl;

    # Server name for this config
    server_name example.com;

    # Include common ssl params
    include snippets/ssl.conf;   

    # Include certificate params
    include snippets/certs/example.com;

    # Your custom nginx params for the site
    # This case returns page with a plain text
    add_header Content-Type text/plain;
    return 200 "Hello, World!";
}
Single server config for a site

server {
    # Listen default port for http
    listen 80;

    # Listen https connections
    listen 443 ssl;

    # Server name for this config
    server_name example.com;

    # Include common ssl params
    include snippets/ssl.conf;   

    # Include certificate params
    include snippets/certs/example.com;

    # Force redirect to https
    if ($scheme != "https") {
        return 301 https://$server_name$request_uri;
    }

    # Your custom nginx params for the site
    # This case returns page with a plain text
    add_header Content-Type text/plain;
    return 200 "Hello, World!";
}
Result

This guide can help you get an A+ rating on test by ssllabs.com

Renewing certificate

There are no methods to automate DNS verification, so at time X you can request a new certificate again via step 2. Local certificate will be updated. Do not forget to reload nginx service.