Let’s Encrypt Wildcard Certs on Ubuntu

Let’s Encrypt has been offering wildcard TLS certificates since the January 2018, and aMiSTACX has the Let’s Encrypt agent certbot-auto [G3, G4] or certbot [G5] pre-installed.

This should cover all aMiSTACX G3/G4/G5s running on Ubuntu 16, 18, & 20 LAMP and LEMP stacks.

Recommendation: Don’t use Let’s Encrypt! Make use of Cloudflare Origin Certificates. This way you don’t have to manually renew every three months.

From CLI:

Step 1.

sudo certbot certonly --manual -d *.yourdomain.com --agree-tos --no-bootstrap --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

and of course you will replace .yourdomain.com with the actual name of your domain.

Note: For an aMiSTACX G5 [Ubuntu 20 LTS] use certbot NOT certbot-auto. If you use certbot-auto by mistake, it will ask for python.

Step 2.

Agree to “would you like to make your IP public?”. You really have no choice if you want to proceed.

Technically for those that may be paranoid, just get the cert and then you can later add an AWS EIP to your instance.

Step 3.

Certbot-auto will provide the following information for DNS verification.

Using CloudFlare as an example, create a text record that will look something like this with information that was given to you:

CloudFlare Text Record Acme Challenge

Tip: Highlight the Text from the CLI from Left-to-Right and then Right-Click. This will prevent the chicken and the egg paradox during the copy and paste into the DNS fields 😉

When finished, click continue.

Step 4.

Select your choice of redirection. For Apache, select 2. For our NGINX stacks, select 1. [You can set up HTTPS redirection on CloudFlare or via the host file. See the stack instructions for more details.]

Step 5.

sudo service apache2 restart

or

sudo service nginx restart

That is it! How awesome was that?