I am trying to make certbot generate a wildcard certificate, but i am confused about what kind of DNS plugin should i be using and why?
There are quite several listed in here:
https://certbot.eff.org/docs/using.html#dns-plugins
Related
I have my main site "domain.com" and a subdomain "apps.domain.com" (with different directories for each site)
I generated a LE wildcard certificate with cerbot but i cant figure out how to use it...
Im trying to get ssl on the domain and subdomain. (im using debian and apache)
I know im supposed to make a ssl config file for the 443 port then another one for port 80. Also i dont understand why apache doesnt read all configuration files (had to put 000 at the start of the file)
I also have several questions, when certificate is installed will the certbot auto renewals still work ? how do i tell apache to auto redirect to https ?
My Node.Js Bitnami Lightsail instance had its frontend code at /opt/apache/htdocs and http://example.com was working perfectly pointing to that directory (my backend located under opt/projects).
After executing Certbot LetsEncrypt my domain is now pointing to a different folder /var/www/html
Please advise on:
In certbot instruction page I choose Apache for "My HTTP website is running", there wasn't a Bitnami option, was that the right call?
Is this the right configuration and just move my code to html folder?
Does my backend code has to move too? if so where?
Any other well-known issues that I might face?
Cheers.
Bitnami Engineer here,
We do not have any guide to configure certbot and Bitnami, but we have a guide that helps you configure the Let's Encrypt SSL certificate using lego. We have a tool that configures everything so you do not need to worry about editing the Apache's conf files or setting the renew process.
sudo /opt/bitnami/bncert-tool
You can learn more about it here.
In case you want to manually create a SSL certificate, you can also run the lego tool directly
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
You will later need to configure the Apache's conf files to use that new certificate file. You can learn more about it here
Note: If you used certbot and it modified the Apache's configuration, you will need to undo those changes to use the proper folder. You will need to review the /opt/bitnami/apache2/conf/httpd.conf, /opt/bitnami/apache2/conf/bitnami/bitnami.conf and /opt/bitnami/apache2/conf/vhosts/* files
I have been trying to achieve wildcard SSL for my app where I need HTTPS for all the dynamic subdomain and I have been trying almost all the tuts found on the internet and almost all way is either giving redirect loop or not working. I am trying this for almost 2 days now and have totally no idea how to go forward. I tried it using certbot doing acme-challenge, DNS Cloudflare plugins but nothing worked for me. Please guide me.
Let's Encrypt supports wildcard SSL certificate only via DNS-01 challenge.
Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
If you use dehydrated, I can recommend cfhookbash, which is a hook for dehydrated.
./dehydrated -c -d *.example.com -t dns-01 -k '${PATH_WHERE_YOU_CLONED_CFHOOKBASH}/cfhookbash/hook.sh'
In my little virtual-hosts config with nginx I encountered a new problem.
I tried to setup a "webmail" subdomain for every one of my virtual hosts using a server_name wildcard
server_name ~^(webmail\.)?(?<domain>.+)$;
as all my domains have their own ssl-certificate I would like to use the right one for the webmail-subdomains too. The certificates are configured as wildcard-certs as in *.domain1.com etc.
So webmail.domain1.com should use the cert for *.domain1.com whereas webmail.domain2.net should use the *.domain2.net cert.
I tried the following as a first guess but could not start nginx because it does not accept the variable in the path:
ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
Is there a way to achieve this configuration with a single config-file covering all webmail.* subdomains?
Yes, but not the way you are hoping...
The problem you have is that nginx needs to terminate the SSL before it can read the stream content to get the Host header to set the server_name to decide which certificate and key are needed to terminate the SSL. That's why variables and maps will never work, because they can't yet exist at the point when nginx needs to read the certificate.
(I believe there are Lua functions in OpenResty that deal with certificate handling, but I think this is more about certificate life-cycles rather than choosing one on-the-fly per request which is what you want.)
The way to achieve this is to script your conf generation, using perl, python, bash, whatever you're comfortable with. Describe a common server block template that only needs to be given the domain name, and generate a copy of that for each domain. They can be all in one file, or included from separate files, whatever works for you.
Tip: If you name a conf file with a dot prefix, like .server-tpl.conf, then it will be ignored by the usual include conf.d/*.conf. That way, you can keep this template together with your other conf files, but only the populated copy(s) will be loaded.
I have an attractive message indicating me that it is unfortunately not possible to generate a certificate for multiple subdomains:
Wildcard domains are not supported: *.mynewsiteweb.com
On the other hand it would be possible to generate it one by one for each subdomain.
Is there a better solution? Thank you :)
Edit
Now Certbot supports the Wildcard since 0.22.0 version (2018-03-07)
Links
Automatic script: https://certbot.eff.org
Documentation: https://certbot.eff.org/docs
Thanks
Certbot ❤
Jahid
Ozzy Tashtepe
trojan
Jay Riley
Prior to support for wildcards I found it necessary to explicitly list each domain on a certificate in the form
… -d example.com -d www.example.com -d blog.example.com -d www.blog.example.com …
(which due to complexities in the odd mix of redirected domains I'm using worked best with the --webroot authentication).
Thanks to Trojan's explanation and documentation here:
https://certbot.eff.org/docs/install.html?highlight=wildcard
I was able to generate wildcard certs that are live now. Unfortunately there is not a plugin for EasyDNS.com yet, so I had to perform manual validation (Where Trojans example saved the day). With this approach I was able to generate a certificate in the form
… -d *.example.com -d example.com -d *.blog.example.com …
Since (for example's sake) blog.example.com was already covered by the *.example.com wildcard, I only had to add the wildcard for *.blog.example.com. In fact certbot would not allow redundancy (complained if I tried to include both *.example.com and www.example.com).
Currently available plug-ins are listed here:
https://certbot.eff.org/docs/using.html#dns-plugins
As of this writing they include these DNS providers:
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-google
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53
Perhaps I'll take a peek over the weekend and see how hard it is to write a plug-in for my own DNS provider.
it is unfortunately not possible to generate a certificate for multiple subdomains
Not true. It is possible to generate a cert for multiple sub-domains. Just include those subdomains in the configuration file by their names:
domains = example.org, www.example.org, sub.example.org, www.sub.example.org
Then run certbot with the configuration file:
certbot-auto -c config.ini
You will have to verify ownership for each domain.
See more about configuration file.
I just went through the process of generating a single Let's Encrypt certificate for multiple subdomains. There were some minor challenges that I encountered and resolved. I posted a short article in the link below explaining the leasons learned I gained when installing Let's Encrypt digital certificates on my Apache web server which provides HTTP and HTTPS access to multiple subdomains.
My most important "lesson learned" is that you need to create a VirtualHost for the HTTP access AND a VirtualHost for each subdomain accessible via HTTPS. IMPORTANT: Each VirtualHost definition must be specified in a single configuration file. The Let's Encrypt certbot will not operate correctly if multiple VirtualHosts are defined within a single configuration file. I defined three (3) VirtualHosts in three (3) different configuration files below. The dummy.conf file serves no functional purpose within Apache (i.e., it will not cause an unnecessary 999 listening port), but it is absolutely necessary for digital certificates to be successfully generated by the Let's Encrypt certbot.
Then you can run the following command to generate the certificate:
certbot certonly -d example.com -d www.example.com
https://www.hueyise.com/index.php/letsencrypt
Wildcard domains are now supported by certbot (from ver. 0.22)
Domain will have to be validated via DNS (you will have to add _acme-challenge.yourdomain.tld TXT record to your DNS entry with random generated value)
Example:
certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d *.example.pl --manual --preferred-challenges dns-01 certonly
Lets Encrypt SSL Wildcard/multiple subdomain support will be available starting from February 27, 2018 officially.
We introduced a public test API endpoint for the ACME v2 protocol and
wildcard support on January 4, 2018. ACME v2 and wildcard support will
be fully available on February 27, 2018
Source: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html