Create Wildcard SSL Certificate With Let's Encrypt and Integrate Into Engineyard
Join the DZone community and get the full member experience.Join For Free
First, we are going to generate a wildcard SSL certificate for our domain, and then, we will see the process of integrating that certificate in engine yard. First, let’s get some insight about the terms we are going to use in this blog
What Is SSL and Why Is it Used?
SSL certificates are used to create an encrypted channel between the client and the server. Transmission of such data as credit card details, account login information, any other sensitive information has to be encrypted to prevent eavesdropping.
What Is a Wildcard Certificate?
A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. Secure Sockets Layer (SSL) certificates often use wildcards to extend SSL encryption to subdomains. A conventional SSL certificate works on a single domain
Why Let's Encrypt?
Let's Encrypt is a free, automated, and open Certificate Authority. That means you do not need to pay charges for SSL Certificate
Creating a Wildcard Certificate
First, you need to ssh login to your server ssh @.
Once you are logged in to your server, you need to install certbot to process further. (Certbot is not available in the default ubuntu repository.) Run the below command to add ppa repository.
sudo add-apt-repository ppa:certbot/certbot
Update packages using the below command:
sudo apt update
Run the below command to install certbot:
sudo apt install certbot
Check which certboat is installed with the below command:
apt-cache policy certbot | grep -i Installed
Ref link: https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html
Now, as we have certbot installed on our server, we are able to generate a certificate. Use the below command to generate a wildcard certificate:
sudo certbot certonly --manual -d *. -d --agree-tos --no-bootstrap
--manual-public-ip-logging-ok --preferred-challenges dns-01 --server
Here, you need to replace the above URL with your original domain. For eg: xyz.com. In the process we have
--preferred-challenges dns-01. There are other options available if you want to try go to reference: https://letsencrypt.org/docs/challenge-types/.
In this process, you will be asked to add TXT Record in your DNS. For that, you need to login to your DNS(Domain Provider like Bigrock, GoDaddy and more) account.
Then, find the DNS records management panel. This depends on your domain provider system. Add TXT records given in the last step like below
Name: Value: _acme-challenge= You can test whether TXT Records
Added on DNS or not on => https://mxtoolbox.com/, you need to follow this process two times. It will verify that you are the owner of the domain which you claim or acting as owner, and then it will generate certificates for your domain with a validity of 3 months
Add Certificates to your engine yard. Login to your engine yard account. From the tools dropdown, select SSL certificate. Click button, Add SSL Certificate
Add the name for your certificate so you can identify it. Select the radio button named ‘Upload SSL Certificate’
In SSL Certificate Text Area add the certificate from a file generated in the last step named Fullchain.pem. View the content of that file with the below command [ in ssh logged in terminal ]
sudo cat /etc/letsencrypt/live/unimedliving.com/fullchain.pem
In SSL Certificate Key Text Area, add the certificate from a file generated in the last step named privkey.pem. View the content of that file with below command [ in ssh logged in terminal ]:
sudo cat /etc/letsencrypt/live/unimedliving.com/privkey.pem
Finally, click on add certificate; it will take some time to appear this certificate for the selection. You have added a certificate in your engine yard. Now, you need to assign that certificate to your web app. Go to the Dashboard of engine yard
Select the app in which you want to assign SSL Certificate. In the SSL section, you can see the option called "Assign SSL Certificate to". From the SSL Certificate dropdown, select the certificate you named uniquely. Then, click on update SSL Settings.
All things are set and done. Now, you only need to click the "Apply" button. After your changes are applied to your environment, you can check that your app is now SSL Protected.
You can perform SSL a test on https://www.whynopadlock.com/. You can use the same process for renewing your certificate after 90 days. If you use a single domain SSL, you can make this process automated by adding a script, but for wildcard domains, you can not perform automated process because it requires DNS Challenge to perform. In the future, there might be a way to do make challenges automated as well. We will update our blog if such a technique developed.
If you face any difficulties in following the above process, comment on the blog, and we will be happy to help. Thank you!
Published at DZone with permission of sachin Gevariya. See the original article here.
Opinions expressed by DZone contributors are their own.