Use “Let’s Encrypt Wildcard SSL Certificate” via Nginx and Apache

To
You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off
To

To
To

What is an SSL certificate? SSL stands for Secure Socket Layer. This is a standard global technology that ensures data encryption between the web server and the web client, thereby minimizing the risk of websites and web applications being hacked. The SSL certificate installed on the web server ensures this secure connection. The SSL certificate contains the website’s public key, website identity and any other relevant information, and is hosted on the website’s original server. Any client trying to communicate with the original server needs to reference this file to obtain the website’s public key and identity.

Let’s Encrypt is a certificate authority that provides an easy way to obtain and install free SSL/TLS certificates, thereby enabling encrypted http traffic on web servers. It provides a software client called certbot, which simplifies SSL installation by automating most of the installation steps. For Apache and Nginx web servers, SSL installation is fully automated. In this guide, we will study how to use “Let’s Encrypt Wildcard SSL Certificate” with Nginx and Apache on Ubuntu/CentOS.

Install Certbot CentOS on Ubuntu

To install certbot on Ubuntu and CentOS, we will run the commands shown below according to the web server used.

For Nginx web server

To install Cerbot for Nginx, use the following command:

--- Ubuntu  ---
sudo apt install certbot python3-certbot-nginx

--- CentOS 8 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-nginx nginx

--- CentOS 7 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install certbot python2-certbot-nginx nginx

For Apache web server

For Apache web server, run the following command to install certbot.

--- Ubuntu  ---
sudo apt install certbot python3-certbot-apache2

--- CentOS 8 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-apache httpd

--- CentOS 7 ---
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install certbot python2-certbot-apache httpd

Check Nginx and Apache web server configuration

We need to ensure that we have a web server virtual host after the preferred web server. The file should contain the web server name and alias as shown below.

For Apache, check the file as follows:

--- Ubuntu ---
sudo vim /etc/apache2/sites-available/example.com.conf

--- CentOS ---
sudo vim /etc/httpd/conf.d/example.com.conf

You should have the server name and alias as shown below:

ServerName example.com
ServerAlias www.example.com

For Nginx, the situation is the same, please check the configuration as follows:

sudo vim /etc/nginx/conf.d/example.com.conf

You should also have the server name and alias here.

server_name  example.com  www.example.com;

How to use Certbot to issue Let’s Encrypt Wildcard SSL

After confirming the web server virtual host, it is time to request the “encrypted” wildcard SSL. Wildcard SSL is a type of SSL that covers the main domain and all its subdomains. E.g,*. The wildcard ssl of example.com should also protect something.example.com, one.example.com, etc.

Secure Nginx/Apache with encrypted wildcard SSL

Run the command shown below to request SSL for *.example.com.

sudo certbot certonly 
  --agree-tos 
  --email [email protected] 
  --manual 
  --preferred-challenges=dns 
  -d *.example.com 
  --server https://acme-v02.api.letsencrypt.org/directory

The following is a description of the various parameters used in the above command:

  • –Certonly: The certonly option in the command will ensure that we only want to issue SSL certificates. If you remove the “certonly” option from the command, Certbot will issue an SSL certificate and will also update your virtual host file to apply the SSL certificate.
  • –Agree-tos: used to agree to “Let’s Encrypt Terms of Service”
  • –Email: Provides the email used to store SSL in the Let’s Encrypt account. When SSL is about to expire, it will be used to notify us.
  • –Manual: This will publish SSL in an interactive way, when prompted for more information.
  • –Preferred-challenges: Specify the method of SSL verification. The domain name must be verified before SSL is issued. In this case, we choose DNS
  • -d: Used to specify the domain to be issued SSL certificate
  • -Server: Used to specify the API endpoint to issue the SSL certificate.

After executing the command, you will receive the TXT record that needs to be added to the DNS server. The record will look like this:

Please deploy a DNS TXT record under the name 
_acme-challenge.example.com with the following value: 

HejzlvXokaKoAq_xnr5LTplWbKYNScVH-ASy1vMYMGE
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue

Add the record to the DNS server of the web server domain.

Confirm that the record is available in your DNS server.

Use "Let's Encrypt Wildcard SSL Certificate" via Nginx and Apache

After the verification record has been deployed, press enter Obtain SSL. You should get the following feedback:

IMPORTANT NOTES: 
- Congratulations! Your certificate and chain have been saved at: 
  /etc/letsencrypt/live/example.com/fullchain.pem 
  Your key file has been saved at: 
  /etc/letsencrypt/live/example.com/privkey.pem 
  Your cert will expire on 2020-10-28. To obtain a new or tweaked 
  version of this certificate in the future, simply run certbot 
  again. To non-interactively renew *all* of your certificates, run 
  "certbot renew" 
- If you like Certbot, please consider supporting our work by: 

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
  Donating to EFF:                    https://eff.org/donate-le

Configure Nginx web server to use Lets Encrypt wildcard SSL

Now configure Nginx web server to use Lets Encrypt wildcard ssl

We need to edit the nginx virtual host configuration file and enable https as shown below:

sudo vim /etc/nginx/conf.d/example.com.conf

Your content should now look like this:

server { 
 listen 80; 
 listen [::]:80; 
 server_name *.example.com; 
 return 301 https://$host$request_uri; 
} 

server { 
 listen 443 ssl; 
 server_name *.example.com; 
 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 
 ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; 
 include /etc/letsencrypt/options-ssl-nginx.conf; 
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
 root /var/www/example.com; 
 index index.html; 
 location / { 
   try_files $uri $uri/ =404; 
 } 
}

Let’s enable the file by creating a link to the enable site, which reads Nginx from it during startup.

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Now test your Nginx configuration to make sure all settings are OK.

sudo nginx -t

If the nginx configuration is normal, you should get the following output.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 
nginx: configuration file /etc/nginx/nginx.conf test is successful

After that, reload Nginx.

sudo systemctl restart nginx

Configure Apache web server to use Lets Encrypt wildcard SSL

For the Apache web server, repeat the same process as Nginx. The Apache configuration file is edited as:

sudo vim /etc/apache2/sites-available/api.example.com.conf

Have the SSL line shown below.

SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem

When finished, reload Apache

sudo systemctl restart apache2

That’s it. Your web server is now set to provide wildcard subdomains. You can test SSL from your browser, and you should be able to get the Lets Encrypt SSL information as shown below:

Use "Let's Encrypt Wildcard SSL Certificate" via Nginx and Apache

Enjoy the following development and more interesting Linux guides:

  • How to install Nginx with PHP-FPM on Ubuntu
  • How to host multiple sites on the same domain (FQDN) on Nginx
  • How to install WordPress with Nginx on Ubuntu/Debian
  • How to protect Apache web pages with LDAP authentication
  • How to install Apache Tomcat on Ubuntu/CentOS 7 using Ansible

To
You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off
To

To
To

Sidebar