Installing a Wildcard SSL with Certbot

Using LetsEncrypt for wildcard SSL certs on my personal blog - yup, right here!

Installing Lets Encrypt's Certbot CLI

First, I had to remove the old version of certbot installed on my Digital Ocean server.

$ apt-get remove certbot

Then follow these steps to install the latest version of certbot-auto:

$ wget https://dl.eff.org/certbot-auto
$ mv certbot-auto /usr/bin
$ chmod a+x /usr/bin/certbot-auto

Installing the Wildcard Certificate

The seemingly straightforward command threw an error for me:

$ certbot-auto -d *.michaelborn.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates

Luckily, some quick Googling turned up this answer from Daniel on a community post:

You need to add --server https://acme-v02.api.letsencrypt.org/directory to your Certbot command to tell it to use the ACME v2 API that supports Wildcard certificates.

And that, of course, resulted in yet another error:

$ certbot-auto -d *.michaelborn.me --server https://acme-v02.api.letsencrypt.org/directory
...
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

No matter what authenticator plugin I used, I couldn't get this to work automatically, so I eventually used the --manual flag to ask the certbot to walk me through manually certifying the domain via a TXT record in the DNS.

$ certbot-auto -d *.michaelborn.me --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual --installer apache

Finally, my last big mistake was forgetting to include my root domain name in the certificate! So I could run my blog under www.michaelborn.me, but not under just michaelborn.me without recertifying. I decided to recertify and replace the old certificate with the new one.

$ certbot-auto -d *.michaelborn.me -d michaelborn.me ...

Finally!

May 17, 2018

« Firefox Bug: Flexbox Elements Won't Wrap to Next Page in Print - My Largest Solo Project »