Let’s Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.

This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.

Install Certbot

Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.

sudo add-apt-repository ppa:certbot/certbot

This will add the repository from where certbot can be installed

sudo add-apt-repository ppa:certbot/certbot

This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s).

More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot

Press [ENTER] to continue or ctrl-c to cancel adding it gpg: keyring `/tmp/tmp1hyvak__/secring.gpg’ created

gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg’ created

gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com

gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created

gpg: key 75BCA694: public key “Launchpad PPA for certbot” imported

gpg: Total number processed: 1

gpg: imported: 1 (RSA: 1)

OK

Update packages

sudo apt update

Run below command to install certbot

sudo apt install certbot

Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.

Steps to generate wildcard certificate

Run this below command on the linux cli.

$ sudo certbot certonly –manual -d *.asknetsec.com –agree-tos –no-bootstrap –manual-public-ip-logging-ok –preferred-challenges dns-01 –server https://acme-v02.api.letsencrypt.org/directory

Replace *.asknetsec.com with your domain name for example *.yourdomainname.com. Once you run this command it will generate a text DNS value.

The command output will be similar to the one below

debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel): admin@asknetsec.com

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org ——————————————————————————-

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about EFF and

our work to encrypt the web, protect its users and defend digital rights.

——————————————————————————-

(Y)es/(N)o: N

Starting new HTTPS connection (1): supporters.eff.org

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for asknetsec.com ——————————————————————————-

Please deploy a DNS TXT record under the name

_acme-challenge.asknetsec.com with the following value: AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs Before continuing, verify the record is deployed. ——————————————————————————-

Press Enter to Continue

Create a text DNS record for the sub-domain _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.

You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.

Press Enter to Continue

Waiting for verification…

Cleaning up challenges IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/asknetsec.com-0001/privkey.pem

Your cert will expire on 2018-06-21. To obtain a new or tweaked

version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run

“certbot renew”

– If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

Congratulations!! The wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.