Select Page

How to Issue and Auto-Renew a Let’s Encrypt Wildcard SSL Certificate with Acme.sh
Posted on December 18, 2019
How to Issue and Auto-Renew a Let’s Encrypt Wildcard SSL Certificate with Acme.sh

Jackie, also known by his nick-name KK, always strives for the best and learn from the best. Working and living as a Freelance Web Engineer/ Web Developer & Designer/ Amateur Youtuber/ Husky Lover. If you love one of these things that I love, we already have something in common.

Jackie Sung

Owner

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time. The offer is accompanied by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites.

In this article we will see how to issue and auto-renew a wildcard SSL certificate with Cloudflare DNS API.

Step 1 - Install Acme.sh

wget -O -  https://get.acme.sh | sh

Step 2 - Issue a Wildcard SSL Certificate with Cloudflare DNS API

To add your Cloudflare API keys (available in your cloudflare dashboard > My Profile > API Tokens)

export CF_Key="your cloudflare api key"
export CF_Email="your cloudflare email"
acme.sh --issue -d jackiesung.com -d *.jackiesung.com --dns dns_cf

If you want to use ECDSA certificate with 384 bits keys, you can do

acme.sh --issue -d jackiesung.com -d *.jackiesung.com --dns dns_cf -k ec-384

You won't have to add DNS records or to run another command to issue your certificate. Acme.sh will automatically add the DNS records needed for the acme-challenge, then it will wait 120 seconds before launching the validation. If everything is okay, acme.sh will issue your wildcard certificate and cleanup validation DNS records.

You shall see something like this

[email protected]: ~# acme.sh --issue -d jackiesung.com -d *.jackiesung.com --dns dns_cf -k ec-384
[jackiesung 2019, 14:58:08 (UTC+0100)] Multi domain='DNS:jackiesung.com,DNS:*.jackiesung.com'
[jackiesung 2019, 14:58:08 (UTC+0100)] Getting domain auth token for each domain
[jackiesung 2019, 14:58:10 (UTC+0100)] Getting webroot for domain='jackiesung.com'
[jackiesung 2019, 14:58:10 (UTC+0100)] Getting webroot for domain='*.jackiesung.com'
[jackiesung 2019, 14:58:10 (UTC+0100)] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[jackiesung 2019, 14:58:12 (UTC+0100)] Adding record
[jackiesung 2019, 14:58:12 (UTC+0100)] Added, OK
[jackiesung 2019, 14:58:12 (UTC+0100)] Sleep 120 seconds for the txt records to take effect
[jackiesung 2019, 15:00:14 (UTC+0100)] jackiesung.com is already verified, skip dns-01.
[jackiesung 2019, 15:00:14 (UTC+0100)] Verifying:*.jackiesung.com
[jackiesung 2019, 15:00:17 (UTC+0100)] Pending
[jackiesung 2019, 15:00:19 (UTC+0100)] Success
[jackiesung 2019, 15:00:19 (UTC+0100)] Removing DNS records.
[jackiesung 2019, 15:00:20 (UTC+0100)] Verify finished, start to sign.
[jackiesung 2019, 15:00:22 (UTC+0100)] Cert success.
[jackiesung 2019, 15:00:22 (UTC+0100)] Your cert is in  /root/.acme.sh/jackiesung.com_ecc/jackiesung.com.cer
[jackiesung 2019, 15:00:22 (UTC+0100)] Your cert key is in  /root/.acme.sh/jackiesung.com_ecc/jackiesung.com.key
[jackiesung 2019, 15:00:22 (UTC+0100)] The intermediate CA cert is in  /root/.acme.sh/jackiesung.com_ecc/ca.cer
[jackiesung 2019, 15:00:22 (UTC+0100)] And the full chain certs is there:  /root/.acme.sh/jackiesung.com_ecc/fullchain.cer

The last step is to add your wildcard certificate in your nginx configuration

ssl_certificate /etc/letsencrypt/jackiesung.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/jackiesung.com/key.pem;

Copyright Statement: Original Article of JackieSung.com

Related Articles

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Share This