IntroductionLet's Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public's benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial describes how to install a wildcard Let's Encrypt SSL certificate using certbot and lego on the Vultr One-Click LAMP app using Vultr DNS.
After completing this tutorial, the website will have a valid wildcard certificate, and the web server will redirect all HTTP requests to HTTPS. The lego method is preferred because certbot does not support automatic updates with Vultr DNS.
Prerequisite StepsMake sure you have all of the following items complete before proceeding with this tutorial.
- Deploy a new Vultr One-Click LAMP app (Ubuntu 18.04).
https://pix.cobrasoft.org/images/2023/01/01/Deploy.png
- Add a domain to Vultr DNS. This tutorial will use the domain example.com and IP address 192.0.2.123. At a minimum, assuming your server is named www, your DNS will look like this:
https://pix.cobrasoft.org/images/2023/01/01/DNS.png
- Enable your Vultr API key.
- Allow the IP address of your server in the API access control.
https://pix.cobrasoft.org/images/2023/01/01/AccessControl.png
- SSH to your server as root.
- Update the server, following the Vultr best practices guide.
Install Wildcard SSL with LegoThe lego installation method allows for automatic updates. Choose this method if you plan to update your certificate before it expires each 90 days automatically.
1. Install lego.The lego version in the Ubuntu 18.04 repository is old and does not support the DNS challenge method required for wildcard DNS.
- Install the latest release from GitHub.
Manually download from here:
Quotehttps://github.com/go-acme/lego/releases
Or, automatically download the latest:
Quote# curl -Ls https://api.github.com/repos/go-acme/lego/releases/latest | \
grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | \
wget -i -
Quote# tar xf lego_v*_linux_amd64.tar.gz
- Move lego to /usr/local/sbin.
Quote# mv lego /usr/local/sbin/
- Verify lego is on your path and the correct version.
Quote# lego -v
lego version 3.7.0 linux/amd64
[/list]
2. Get a new certificate. - Retrieve your API Key from https://my.vultr.com/settings/#settingsapi
- Create the get-cert.sh script in /usr/local/sbin.
Quote# nano /usr/local/sbin/get-cert.sh
- Paste the contents below into get-cert.sh.
- Replace the example API key with your key.
- Replace the example email with your address.
- Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.
Quote#!/bin/sh
export VULTR_API_KEY=xxxx_EXAMPLE_API_KEY_xxxx
export VULTR_HTTP_TIMEOUT=60
export VULTR_POLLING_INTERVAL=60
export VULTR_PROPAGATION_TIMEOUT=300
export VULTR_TTL=300
lego --dns vultr \
--domains *.example.com \
--domains example.com \
--email admin@example.com \
--path="/etc/letsencrypt/example.com" \
--accept-tos run
[/list]
- Make the script executable.
Quote# chmod +x /usr/local/sbin/get-cert.sh
Quote# /usr/local/sbin/get-cert.sh
- Verify the certificates were issued.
Quote# ls -l /etc/letsencrypt/example.com/certificates/
total 16
-rw------- 1 root root 3307 May 20 14:15 _.example.com.crt
-rw------- 1 root root 1648 May 20 14:15 _.example.com.issuer.crt
-rw------- 1 root root 230 May 20 14:15 _.example.com.json
-rw------- 1 root root 288 May 20 14:15 _.example.com.key
[/list]
3. Install SSL Certificate for Apache - Archive the existing Apache certificate.
Quote# mv /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.crt.old
# mv /etc/apache2/ssl/server.key /etc/apache2/ssl/server.key.old
- Link the Apache certificate to the Let's Encrypt certificate.
Quote# ln -s /etc/letsencrypt/example.com/certificates/_.example.com.crt /etc/apache2/ssl/server.crt
# ln -s /etc/letsencrypt/example.com/certificates/_.example.com.key /etc/apache2/ssl/server.key
Quote# service apache2 restart
- Navigate to your website in a browser and verify that the certificate is correct and issued to the wildcard domain name.
Set up automatic certificate renewal- Retrieve your API Key from https://my.vultr.com/settings/#settingsapi
- Create the renew-cert.sh script in /usr/local/sbin.
Quote# nano /usr/local/sbin/renew-cert.sh
- Paste the contents below into renew-cert.sh.
- Replace the example API key with your own.
- Replace the example email address and domain names with your own.
Quote#!/bin/sh
export VULTR_API_KEY=xxxx_EXAMPLE_API_KEY_xxxx
export VULTR_HTTP_TIMEOUT=60
export VULTR_POLLING_INTERVAL=60
export VULTR_PROPAGATION_TIMEOUT=300
export VULTR_TTL=300
lego --dns vultr \
--domains *.example.com \
--domains example.com \
--email admin@example.com \
--path="/etc/letsencrypt/example.com" \
--accept-tos renew
[/list]
- Make the script executable.
Quote# chmod +x /usr/local/sbin/renew-cert.sh
Quote# crontab -e
- Add the following line to crontab. Adjust the schedule as needed. The following example will run at 04:05 a.m. each Monday.
Quote5 4 * * 1 /usr/local/sbin/renew-cert.sh 2> /dev/null
[/list]
Summary You have completed wildcard SSL installation using lego. Your server will automatically check the certificate each Monday and renew the certificate before it expires.
Install Wildcard SSL with CertbotThe certbot procedure is manual. Automatic renewal with certbot is not possible with Vultr DNS. If you want to renew automatically, the Lego method is preferred.
1. Install certbotInstall certbot with apt.
Quote# apt update && apt install certbot -y
2. Request Wildcard CertificateRun certbot with the certonly and --manual options. Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.
Quote# certbot certonly --manual \
-d *.example.com \
-d example.com \
-m admin@example.com \
--preferred-challenges dns --agree-tos \
--no-eff-email --manual-public-ip-logging-ok
The certbot wizard will print instructions to add a TXT record to your domain's DNS. For example:
Quote- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
The certbot wizard will pause at this point. Do not press ENTER until you've completed the DNS steps below.
Use a web browser to:
- Navigate to your DNS provider.
- Add the TXT record shown by certbot to your domain's DNS.
Test that the TXT record is propagated properly. Popular ways to test the TXT record include dig and the dnschecker.org website. Replace example.com with your name in these examples:
- To test with dig, open another terminal window and lookup the domain record, replacing example.com with your domain. Verify that the value returned is correct.
Quote# dig +short TXT _acme-challenge.example.com
"U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914"
- To use dnschecker.org, navigate to the URL, replacing example.com with your domain. Verify that the value returned is correct.
Quotehttps://dnschecker.org/#TXT/_acme-challenge.example.com
In the propagation test, when you see the correct TXT record, return to the certbot wizard and press ENTER to continue. If the certificate challenge succeeds, certbot will report the location of the new certificate files.
Quote...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
[/list]
3. Install Certificate for ApacheArchive the existing Apache certificate.
Quote# mv /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.crt.old
# mv /etc/apache2/ssl/server.key /etc/apache2/ssl/server.key.old
Link the Let's Encrypt certificate where Apache expects to find it.
Quote# ln -s /etc/letsencrypt/live/example.com/fullchain.pem /etc/apache2/ssl/server.crt
# ln -s /etc/letsencrypt/live/example.com/privkey.pem /etc/apache2/ssl/server.key
Restart Apache.
Quote# service apache2 restart
Using a web browser, navigate to your website, and verify the certificate is correct.
SummaryYou have completed wildcard SSL installation using certbot. You will need to renew the certificate before it expires manually.