Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to get a wildcard ssl certificate and set up Nginx.

How to get and install a wildcard SSL certificate

In this guide you can find how to resolve the following issues.

Feel free to ask any questions in the comments section below.

Request a new certificate

Get certbot

Go to any directory and clone repo with sources.

cd ~
git clone https://github.com/certbot/certbot

Directory certbot will be created.

Request a certificate

Put a domain name into a variable.

DOMAIN=example.com

Go to certbot's directory

cd certbot

Request a certificate for your domains. You don't need to edit this command

./certbot-auto certonly --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email --rsa-key-size 4096

You will see a block with value for a new DNS record.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

qqiR_lsa2AjMfoVR16mH4UDbOxy_E02l0K1CNyz1RdI

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

Open a DNS panel for you domain name and add a new TXT record. Then go back to the terminal and press Enter. You will be asked to add another one record.

Vscale Panel for example:

Before pressing Enter the second time you can check if records were deployed. Open a new terminal window and run the following command.

host -t txt _acme-challenge.example.com

You will see a response from the DNS with your values.

_acme-challenge.example.com descriptive text "qqiR_lsa2AjMfoVR16mH4UDbOxy_E02l0K1CNyz1RdI"
_acme-challenge.example.com descriptive text "oMmMa-fDLlebdUhvhMD5MinJ2EeFpdP0F9lUPTShh4w"

If these records are correct then press Enter and see the result of issuing.

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-06-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Congratulations. You have got a new wildcard certificate for your domain (example.com) and its second-level subdomains (*.example.com).

Set up Nginx

Now we need to add a new snippet with ssl-params.

Go to snippets directory and create a new one.

cd /etc/nginx/snippets
nano ssl.conf

Add the following lines, save and exit the editor (Ctrl+X, Y, Enter).

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Then you have to create a directory for certificates snippets.

mkdir certs
cd certs

Create a new file that will hold certificate's params.

nano example.com

Add paths to the wildcard certificate.

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

Usage

Now you have to include params in site's config.

Separated http and https servers

server {
    # Listen default port for http
    listen 80;

    # Server name for this config
    server_name example.com;

    # Force redirect to https
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    # Listen https connections
    listen 443 ssl;

    # Server name for this config
    server_name example.com;

    # Include common ssl params
    include snippets/ssl.conf;   

    # Include certificate params
    include snippets/certs/example.com;

    # Your custom nginx params for the site
    # This case returns page with a plain text
    add_header Content-Type text/plain;
    return 200 "Hello, World!";
}

Single server config for a site

server {
    # Listen default port for http
    listen 80;

    # Listen https connections
    listen 443 ssl;

    # Server name for this config
    server_name example.com;

    # Include common ssl params
    include snippets/ssl.conf;   

    # Include certificate params
    include snippets/certs/example.com;

    # Force redirect to https
    if ($scheme != "https") {
        return 301 https://$server_name$request_uri;
    }

    # Your custom nginx params for the site
    # This case returns page with a plain text
    add_header Content-Type text/plain;
    return 200 "Hello, World!";
}

Result

This guide can help you get an A+ rating on test by ssllabs.com

Renewing certificate

There are no methods to automate DNS verification, so at time X you can request a new certificate again via step 2. Local certificate will be updated. Do not forget to reload nginx service.

@tihoho
Copy link

tihoho commented Sep 2, 2018

thanks. it's work and without problems for me.

@hardy4yooz
Copy link

hardy4yooz commented Sep 3, 2018

@talyguryn
it works!
it’s due to firewall restrictions.
thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment