Let's Encrypt configure universal domain name certificate

Keywords: Operation & Maintenance DNS Web Server SSL OpenSSL

Recently, more than 10 secondary domain names of individuals need to issue certificates. Let's Encrypt provides free SSL certificates with a term of three months. When they expire, they need renew. The official also provides certbot, a tool for automatic renew. Here, we record the general certificate that uses Let's Encrypt to generate the pan domain name.

What is Let's Encrypt?

When deploying HTTPS websites, certificates are required, which are issued by Ca institutions. Most traditional CA institutions need to charge for issuing certificates, which is not conducive to promoting the use of HTTPS protocol.

Let's Encrypt It's also a CA organization, but it's free. That is to say, there is no charge for issuing the certificate. Let's Encrypt is a non-profit organization that needs to control expenses. They did a very creative thing and designed an ACME agreement.

So why to create ACME protocol? The traditional CA institutions accept certificate application, certificate update and certificate revocation manually. The ACME protocol standardizes the processes of certificate application, renewal and revocation. As long as a client realizes the functions of the protocol, it can apply for a certificate from Let's Encrypt through the client, that is to say, Let's Encrypt CA is fully automated.

Anyone can implement a client based on ACME protocol. The officially recommended client is Certbot .

What is wildcard certificate

Let's Encrypt supports two types of certificates before wildcard certificates appear.

1) Single domain name certificate: the certificate contains only one host.

2) SAN certificate: domain name wildcard certificate is similar to the universal domain name concept of DNS resolution. Wildcard certificate is that a wildcard can be included in the certificate exmaple.com). The wildcard certificate issued by the primary domain name can be used in all subdomains, such as www.example.com , bbs.example.com .

Request wildcard certificate

Certificate request on Let's Encrypt is completed through ACME protocol. ACME protocol standardizes the processes of certificate application, renewal and revocation, and realizes the automatic operation of Let's Encrypt CA. It solves the problem of efficiency and cost that the traditional CA organization is manual processing certificate application, certificate renewal and certificate revocation.

ACME V2 is an updated version of ACME protocol. Wildcard certificates can only be obtained through ACME v2. To apply for wildcard certificate using ACME V2 protocol, only one client supporting the protocol is required. The officially recommended client is Certbot

When a client applies for a Let's Encrypt certificate, he / she needs to verify the ownership of the domain name and prove that the operator has the right to apply for a certificate for the domain name. At present, there are three verification methods supported:

  • dns01: add a DNS TXT record to the domain name.
  • http01: place an HTTP well known URL resource file under the Web server corresponding to the domain name.
  • tls-sni01: place an HTTPS well-known URL resource file under the Web server corresponding to the domain name.

To apply for a wildcard certificate, you can only use the dns authentication method. Please start to apply

Get certbot client

# Download Certbot client
$ wget -c https://dl.eff.org/certbot-auto -P /usr/local/bin/
# Make executable
$ chmod a+x /usr/local/bin/certbot-auto
$ certbot-auto --version
certbot 0.34.2

Note: Certbot 0.22.0 and above supports ACME v2 protocol

Start applying for certificate

certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 
  • certonly, which means installation mode. Certbot has two types of plug-ins: installation mode and verification mode.
  • -d request certificates for those hosts. If it is a wildcard, enter * example.com
  • --manual means to install plug-ins manually. Certbot has many plug-ins. Different plug-ins can apply for certificates. Users can choose according to their needs
  • --Preferred challenges DNS, use DNS to verify domain name ownership
  • --Server, Let's Encrypt ACME v2 version uses a different server than v1 version, which needs to be specified.

After executing the above command, it is the output of the command line. Enter the corresponding content according to the prompt:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): fate1028@163.com #Email for security and renewal notifications

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A #Do you agree to the relevant terms of the agreement

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N #Whether to subscribe to related messages
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y  #Ask if you want to bind the domain name to the machine (IP)

Continue after the above confirmation. The following prompt requires the configuration of DNS TXT record to verify the domain name ownership, that is, to determine whether the certificate applicant has the domain name ownership.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

OGWxK87UxvB5iMp2tn-tfnB7r_kICS3oSRHyo0ouwzU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue  ## Here, remember to enter the vehicle for execution after validation

The above output is required to_ acme-challenge.example.com Configure a TXT record. Do not enter until the txt record is confirmed to be effective. Please log in the domain name management system by yourself. For example, the domain name I bought in nameheap. Here are the txt records I configured in domain name resolution

 
 
image.png

Then enter the following command to confirm whether the TXT record is effective:

$ dig  -t txt  _acme-challenge.example.com @8.8.8.8 

; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20013
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.chat186.com.   IN  TXT

;; ANSWER SECTION:
_acme-challenge.example.com. 1798 IN    TXT "OGWxK87UxvB5iMp2tn-tfnB7r_kICS3oSRHyo0ouwzU"

;; Query time: 258 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 31 20:33:01 CST 2019
;; MSG SIZE  rcvd: 112

After the confirmation takes effect, enter to execute and output the following information

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

At this time, our certificate has been successfully applied for. The certificates are saved in the following directory:

$ tree /etc/letsencrypt/live/example.com/
/etc/letsencrypt/live/example.com/
├── cert.pem -> ../../archive/example/cert1.pem
├── chain.pem -> ../../archive/example.com/chain1.pem
├── fullchain.pem -> ../../archive/example.com/fullchain1.pem
├── privkey.pem -> ../../archive/example.com/privkey1.pem
└── README

To verify the certificate information, enter the following command:

$ openssl x509 -in  /etc/letsencrypt/live/example.com/cert.pem -noout -text 

# You can see that the certificate contains the SAN extension whose value is * example.com
...
Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name: 
    DNS:*.example.com
...

Here, we have demonstrated how to apply for a free wildcard Certificate in Let's Encrypt.

Renewal of certificate

In the last step of the previous step, the most important thing is to remind Let's encrypt that the free certificate is valid for 90 days by default. After expiration, if you want to renew all certificates non interactively, you can execute the following command:

$ certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem expires on 2019-08-29 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Because it has not expired, it is ignored. The above non interactive renewal is based on the existence of renewal account credentials. By default, it is saved in the / etc/letsencrypt directory for the first time. It is recommended to back up regularly.

Posted by iRock on Fri, 29 May 2020 00:36:59 -0700