You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

What is SSL Certificate? SSL stands for secure socket layer. It is a standard global technology which ensures data encryption between a web server and a web client, minimizing the risks of websites and web applications being hacked. An SSL certificate installed on a web server ensures this secure connection. An SSL certificate contains a website public key, website identity and any other related information and hosted in the website original server. Any client trying to communicate with the original server needs to reference the file to obtain the website public key and identity.

Let’s Encrypt is a Certificate Authority providing an easy way to acquire and install free SSL/ TLS certificates, enabling encrypted http traffic on web servers. It provides a software client called certbot that make SSL installation easy by having most steps of installation automated. For Apache and Nginx web servers, SSL installation is fully automated. In this guide, we are going to look at how to use Let’s Encrypt Wildcard SSL Certificate with Nginx and Apache on Ubuntu / CentOS.

Install Certbot on Ubuntu | CentOS

To install certbot on Ubuntu and CentOS we are going to run the command as shown below depending on the web server we are using.

For Nginx Web Server

To install Cerbot for Nginx, use the following command:

--- Ubuntu  ---
sudo apt install certbot python3-certbot-nginx

--- CentOS 8 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-nginx nginx

--- CentOS 7 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install certbot python2-certbot-nginx nginx

For Apache Web Server

For Apache web server, run the below command to install certbot.

--- Ubuntu  ---
sudo apt install certbot python3-certbot-apache2

--- CentOS 8 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-apache httpd

--- CentOS 7 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install certbot python2-certbot-apache httpd

Check Nginx and Apache web server configurations

We need to ensure that we have the web server virtual hosts after our preferred web server. The file should contain web server name and alias as shown.

For Apache, check the file as shown:

--- Ubuntu ---
sudo vim /etc/apache2/sites-available/example.com.conf

--- CentOS ---
sudo vim /etc/httpd/conf.d/example.com.conf

You should have your server name and alias name as shown:

ServerName example.com
ServerAlias www.example.com

The same case for Nginx, check the configuration as shown:

sudo vim /etc/nginx/conf.d/example.com.conf

You should have the server name and alias here as well.

server_name  example.com  www.example.com;

How To Issue Let’s Encrypt Wildcard SSL using Certbot

Having confirmed the webserver virtual hosts, it is time to request for Let’s Encrypt wildcard SSL. A wildcard SSL is a type of SSL that covers the main domain and all its subdomains. For example, a wildcard ssl for *.example.com should also protect something.example.com, one.example.com and so on.

Securing Nginx/ Apache with Let’s Encrypt Wildcard SSL

Run the command as shown below to request SSL for *.example.com.

sudo certbot certonly \
  --agree-tos \
  --email [email protected] \
  --manual \
  --preferred-challenges=dns \
  -d *.example.com \
  --server https://acme-v02.api.letsencrypt.org/directory

Below is a description of the various parameters used in the above command:

  • –certonly: The certonly option in our command will make sure that we just want to issue SSL certificate. If you remove the certonly option from the command, Certbot will issue the SSL certificate and it will also update your virtual host file to apply the SSL certificate.
  • –agree-tos: Used to agree Let’s Encrypt terms of service.
  • –email: The email is provided for storing the SSL in Let’s Encrypt account. It will be used in notifying us when the SSL is about to expire.
  • –manual: This brings an interactive way of issuing the SSL where we are prompted for more information.
  • –preferred-challenges: Specifies the method of SSL verification. The domain name has to be verified before issuing SSL. In this case we are slecting DNS
  • -d: Used to specify the domains to issue SSL certificate
  • –server: Used to specify the API endpoint to issue SSL certificate.

Once you execute the command, you will receive a TXT record which you need to add to your DNS server. The records will look as below:

Please deploy a DNS TXT record under the name 
_acme-challenge.example.com with the following value: 

HejzlvXokaKoAq_xnr5LTplWbKYNScVH-ASy1vMYMGE
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue

Add the records to your DNS server for the webserver domain.

Confirm the record is available in your DNS server.

Once you have verified that the record has been deployed, press Enter to obtain the SSL. You should get feedback as below:

IMPORTANT NOTES: 
- Congratulations! Your certificate and chain have been saved at: 
  /etc/letsencrypt/live/example.com/fullchain.pem 
  Your key file has been saved at: 
  /etc/letsencrypt/live/example.com/privkey.pem 
  Your cert will expire on 2020-10-28. To obtain a new or tweaked 
  version of this certificate in the future, simply run certbot 
  again. To non-interactively renew *all* of your certificates, run 
  "certbot renew" 
- If you like Certbot, please consider supporting our work by: 

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
  Donating to EFF:                    https://eff.org/donate-le

Configuring Nginx web server to use Lets Encrypt Wildcard SSL

Now configure Nginx web server to use Lets Encrypt wildcard ssl

We need to edit nginx virtual host configuration file and enable https as below:

sudo vim /etc/nginx/conf.d/example.com.conf

Your content should now appear as below:

server { 
 listen 80; 
 listen [::]:80; 
 server_name *.example.com; 
 return 301 https://$host$request_uri; 
} 

server { 
 listen 443 ssl; 
 server_name *.example.com; 
 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 
 ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; 
 include /etc/letsencrypt/options-ssl-nginx.conf; 
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
 root /var/www/example.com; 
 index index.html; 
 location / { 
   try_files $uri $uri/ =404; 
 } 
}

Let us enable the file through creating a link to sites-enabled where Nginx reads from during startup.

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Now test your Nginx configuration to ensure that all settings are okay.

sudo nginx -t

You should get an output as below if nginx configuration is ok.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 
nginx: configuration file /etc/nginx/nginx.conf test is successful

After that reload Nginx.

sudo systemctl restart nginx

Configuring Apache web server to use Lets Encrypt wildcard SSL

For Apache webserver, repeat the same procedure as for Nginx. The config file edit for Apache is:

sudo vim /etc/apache2/sites-available/api.example.com.conf

Have SSL lines like below.

SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem

When done, reload Apache

sudo systemctl restart apache2

That’s it. Your webserver is now set up to serve wildcard subdomains. You can test SSL from the browswer and you should be able to get Lets Encrypt SSL information as below:

Enjoy developing and check more captivating Linux guides below:

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF