Hello, Quite a quick turnaround for blog posts and me. This one is going to be helpful for those of us that use Wildcard Certificates in our environment and found out that our SSL provider changed their policies based on industry standards, but now their certificates cost 200x more than they used to so we are moving to an opensource and free solution.
For those of you that don’t know what the previous paragraph means, Google, and other major web site providers implemented that all communications on the Internet be secured. To do this, we use SSL or Secure Socket Layer certificates. These certificates verify and validate that the site you are on is the real one and any information that you provide on it will be encrypted and secure. SSL Certificate do this encrypting and signing to make sure everything is good. In the past, we used to have to spend $100’s, if not $1000’s (Like it did) to have this capability. LetsEncrypt came about to make this free and accessible to everyone. The downside is that the certificates are only valid for 90 days instead of a year, but you get what you pay for.
I am moving to this model because my vendor of SSL, Digicert changed their model and now I can’t renew certificates without spending another $600 on top of the $5k I’ve already spent. So I am moving to LetsEncrypt.
LetsEncrypt is a SSL company that uses a software package called certbot that can automatically create and install certificates that are trusted to systems.
My DNS host provider, however, is not one of their partners. However, they do allow me to edit records on the fly, which is important since that is how LetsEncrypt verifies that you own the domain and won’t generate a certificate if you don’t. This means that I can’t automate the deployment or the generation, and I have to run the following command to update my certificates every 90 days. Some of my systems can be automated, which those, like this one that runs my web server, can. However, I do have some systems like my Virtual Center server or my Email server that use Wildcard or a single certificate to cover multiple servers. This blog will discuss how to do this, mainly so that in 90 days I can remember how to do this.
So, on to how to do this.
First, install certbot on a machine. Since I’m a Linux person, and I used Ubuntu, I installed this on my local machine:
sudo apt update
sudo apt install letsencryptThis installs the base LetsEncrypt software with no plugins. Since my DNS provider does not have a plugin, I have to do this manually.
I also had to add the wildcard, or “*” to my domain to prove I owned the domain, so I logged in to my DNS provider, and created an “A” record that pointed to my webserver with the *.lucaswilliams.net name. This will allow me to use this certificate on any of my server inside my lucaswilliams.net domain. Very useful for virtual server for VMware, email, and other servers that need HTTPS and SSL Certificates.
Once I created the wildcard domain entry in my DNS record. I then went to the terminal on my Linux machine and typed the following:
sudo certbot certonly --manual \
--preferred-challenges=dns \
--email user@domain.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
-d *.domain.comfor the --server https://acme-v02.api.letsencrypt.org/directory line, you have to use this server to create the certificate as this is the only one that LetsEncrypt uses to for this requirement.
After hitting enter to start the process, I was presented a prompt asking if I wanted to share my information and details about the certificate, which I replied “N” but if you want you can.
The next prompt is the important one. It looks like the following:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.domain.com.
with the following value:
q12yr1dyFyrh143HHRTe42HH_hf#1d7&ewftgs8H
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.domain.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to ContinueI then logged into my DNS provider and created this TXT record and then hit enter in the terminal to complete the key generation. LetsEncrypt verified the record and created my certificates in /etc/letsencrypt/live/domain.com. You will need ‘root’ access for the live directory, so I ran sudo -i to change to root user and access the certificates.
I then copied the privekey.pem and fullchain.pem files to my servers and renamed them to what the system understands as the private key file and the certificate file.
The biggest takeaway from this is that LetsEncrypt will let us create certificates for our systems for free, however, they only are valid for 90 days which means that we have to do this every 3 months. Some systems can be fully automated if their names don’t change or the certificate is used only for validation and verification of the site and name, but more complex certificates, like email verification and signature signing, this is the way to go for that.
If any of you know of a better way of doing this, please let me know and I’ll share it and give you credit for the improvment!