Point a wildcard record to your server, install apache2
root@cluebat:~# apt-get install virtualenv apache2
and install certbot:
root@cluebat:~# wget https://dl.eff.org/certbot-auto --2018-10-05 23:07:52-- https://dl.eff.org/certbot-auto Resolving dl.eff.org (dl.eff.org)... 151.101.16.201, 2a04:4e42:4::201 Connecting to dl.eff.org (dl.eff.org)|151.101.16.201|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 62299 (61K) [application/octet-stream] Saving to: ‘certbot-auto’ certbot-auto 100%[======================================================>] 60.84K --.-KB/s in 0.002s 2018-10-05 23:07:52 (34.5 MB/s) - ‘certbot-auto’ saved [62299/62299] root@cluebat:~# chmod 755 certbot-auto root@cluebat:~#
Run certbot: (follow onscreen guide to create txt record)
root@cluebat:~# ./certbot-auto certonly --manual -d *.cluebat.eu --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for cluebat.eu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.cluebat.eu with the following value: etwS4yidYTkFhl441f7wul5GZEv8kdmNfQCSDqiXrU0 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cluebat.eu/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cluebat.eu/privkey.pem Your cert will expire on 2019-01-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
And now enable ssl in apache:
root@cluebat:~# a2enmod ssl Considering dependency setenvif for ssl: Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 root@cluebat:~#
and set up the virtualhost, wildcard.conf:
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
SSLCertificateFile /etc/letsencrypt/live/cluebat.eu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cluebat.eu/privkey.pem
ServerAdmin webmaster@localhost
ServerName wildcard.cluebat.eu
ServerAlias *.cluebat.eu
DocumentRoot /var/www/html
</VirtualHost>
Enable new site, Restart apache, and navigate to: wildcard.cluebat.eu:
root@cluebat:~# a2ensite wildcard.conf Enabling site wildcard. To activate the new configuration, you need to run: systemctl reload apache2 root@cluebat:~# systemctl restart apache2
Noticing the “cluebat.eu” does not work, you can add secondary domains like:
root@cluebat:~# ./certbot-auto certonly --manual -d *.cluebat.eu -d cluebat.eu --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/cluebat.eu.conf) It contains these names: *.cluebat.eu You requested these names for the new certificate: *.cluebat.eu, cluebat.eu. Do you want to expand and replace this existing certificate with the new certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (E)xpand/(C)ancel: e Renewing an existing certificate Performing the following challenges: dns-01 challenge for cluebat.eu dns-01 challenge for cluebat.eu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.cluebat.eu with the following value: etwS4yidYTkFhl441f7wul5GZEv8kdmNfQCSDqiXrU0 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.cluebat.eu with the following value: xD428EnO8OIXpH3LdBGs6ObwoR8hOeN6obnyEvBZids Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cluebat.eu/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cluebat.eu/privkey.pem Your cert will expire on 2019-01-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Adding another wildcard to the same cert goes as easy:
root@cluebat:~# ./certbot-auto certonly --manual -d *.cluebat.eu -d cluebat.eu -d housebot.dk -d *.housebot.dk --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/cluebat.eu.conf) It contains these names: *.cluebat.eu, cluebat.eu You requested these names for the new certificate: *.cluebat.eu, cluebat.eu, housebot.dk, *.housebot.dk. Do you want to expand and replace this existing certificate with the new certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (E)xpand/(C)ancel: e Renewing an existing certificate Performing the following challenges: dns-01 challenge for cluebat.eu dns-01 challenge for cluebat.eu dns-01 challenge for housebot.dk dns-01 challenge for housebot.dk - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.cluebat.eu with the following value: etwS4yidYTkFhl441f7wul5GZEv8kdmNfQCSDqiXrU0 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.cluebat.eu with the following value: xD428EnO8OIXpH3LdBGs6ObwoR8hOeN6obnyEvBZids Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.housebot.dk with the following value: 5_IQHWzUVroRwk_AH8Qe2ztg3rMYuWHIiHX9TvH3t1Y Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.housebot.dk with the following value: 5CSRERvy-uXp9gO33gaCzJdM4UBb84sspJDJ1UO9AII Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cluebat.eu/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cluebat.eu/privkey.pem Your cert will expire on 2019-01-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Restart apache, and test:
root@cluebat:~# systemctl restart apache2 root@cluebat:~#