Installing a Wildcard SSL with Certbot
Using LetsEncrypt for wildcard SSL certs on my personal blog - yup, right here!
Installing Lets Encrypt's Certbot CLI
First, I had to remove the old version of
certbot installed on my Digital Ocean server.
$ apt-get remove certbot
Then follow these steps to install the latest version of certbot-auto:
$ wget https://dl.eff.org/certbot-auto $ mv certbot-auto /usr/bin $ chmod a+x /usr/bin/certbot-auto
Installing the Wildcard Certificate
The seemingly straightforward command threw an error for me:
$ certbot-auto -d *.michaelborn.me Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate The currently selected ACME CA endpoint does not support issuing wildcard certificates
Luckily, some quick Googling turned up this answer from Daniel on a community post:
You need to add
--server https://acme-v02.api.letsencrypt.org/directoryto your Certbot command to tell it to use the ACME v2 API that supports Wildcard certificates.
And that, of course, resulted in yet another error:
$ certbot-auto -d *.michaelborn.me --server https://acme-v02.api.letsencrypt.org/directory ... Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
No matter what authenticator plugin I used, I couldn't get this to work automatically, so I eventually used the
--manual flag to ask the certbot to walk me through manually certifying the domain via a TXT record in the DNS.
$ certbot-auto -d *.michaelborn.me --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual --installer apache
Finally, my last big mistake was forgetting to include my root domain name in the certificate! So I could run my blog under www.michaelborn.me, but not under just michaelborn.me without recertifying. I decided to recertify and replace the old certificate with the new one.
$ certbot-auto -d *.michaelborn.me -d michaelborn.me ...