How to apply a wildcard SSL license from letsencrypt via DNS chanllenge

Why use DNS challenge instead of HTTP challenge?

I deployed this blog use geo-ip based DNS, which leads to the ip the letsencrypt get does not match to the server which is applying for SSL license. So I learned how to get SSL license via DNS challenge.

Why need wildcard SSL license?

Another advantage using DNS challenge to apply SSL license is that we can apply for a wildcard SSL license. Wildcard SSL license can be used in root domain and all first-level subdomains, which is more convenient and easier to manage.

How to do it?

AWS Route 53

Install certbot following official instructions

Before, I just used certbot from OS packages. Now I know that the appropriate way to install it is from pip in order to get the latest version. In my case I use AWS route 53 as DNS provider. If you use another DNS service provider, the process is similar, which you can refer to https://eff-certbot.readthedocs.io/en/latest/using.html#dns-plugins. Now log into your server as root.

sudo apt update
sudo apt install python3 python3-venv libaugeas0
sudo apt-get remove certbot # Remove certbot-auto and any Certbot OS packages
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
sudo /opt/certbot/bin/pip install certbot-dns-route53

Config your Route53 API credentials

1. Go to your host zone and record your hosted zone id.

   

2. Then go to AWS IAM console to set policies and roles, which can be find in search bar.

   

3. Set policies

   

   

   {
       "Version": "2012-10-17",
       "Id": "certbot-dns-route53 policy",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "route53:ListHostedZones",
                   "route53:GetChange"
               ],
               "Resource": [
                   "*"
               ]
           },
           {
               "Effect": "Allow",
               "Action": [
                   "route53:ChangeResourceRecordSets"
               ],
               "Resource": [
                   "arn:aws:route53:::hostedzone/REPLACE_WITH_YOUR_HOSTED_ZONE_ID"
               ]
           }
       ]
   }

   Then go to next and input police name and create it.

   4. Next, go to user penal and create a new user.

      

      Input the username you like.

      

      Attach it with policy you create before.

      

      Then next step and create it. Now we need to create access key for this user.

      

      

      Leave the tag value empty here.

      

      

      Record your Access key and Secret access key, which will be used later.

      Up to now, we get our Route53 API credentials. Then log back to your server as root.

      cd ~
      mkdir .aws
      vim .aws/config

      [default]
      aws_access_key_id=Your_aws_access_key_id
      aws_secret_access_key=Your_aws_secret_access_key

      certbot certonly \
        --dns-route53 \
        -d your.domain \
        -d *.your.domain
      # Set up automatic renewal
      echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Cloudflare DNS

sudo apt update
sudo apt install python3 python3-venv libaugeas0
sudo apt-get remove certbot # Remove certbot-auto and any Certbot OS packages
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
sudo /opt/certbot/bin/pip install certbot-dns-cloudflare

Config your Cloudflare API credentials

1. Login => Manage Account =>Click “Create Token”

2. Use template “Edit zone DNS”

3. Set permission to edit, include the domain you want to apply wildcard certificate, then add your server ip to white list. Continue to create token and you will get your secret keys.

Apply wildcard SSL certificate

mkdir .secrets
cd .secrets/
mkdir certbot
cd certbot/
vim cloudflare.ini

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

chmod 600 /root/.secrets/certbot/cloudflare.ini
certbot certonly   --dns-cloudflare   --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini   -d your.domain   -d *.your.domain
echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Reference

1. https://letsencrypt.org/docs/challenge-types/

2. https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438

3. https://eff-certbot.readthedocs.io/en/latest/using.html#dns-plugins

4. https://certbot.eff.org/instructions?ws=nginx&os=pip&tab=wildcard

5. https://certbot-dns-route53.readthedocs.io/en/latest/

6. https://nandovieira.com/using-lets-encrypt-in-development-with-nginx-and-aws-route53

7. https://certbot-dns-route53.readthedocs.io/en/stable/

8. https://certbot-dns-cloudflare.readthedocs.io/en/latest/