Introduction
Let's Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public's benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial describes how to install a wildcard Let's Encrypt SSL certificate using certbot and lego on the RCS One-Click LAMP app using RCS DNS.
After completing this tutorial, the website will have a valid wildcard certificate, and the web server will redirect all HTTP requests to HTTPS. The lego method is preferred because certbot does not support automatic updates with RCS DNS.
Prerequisite Steps
Make sure you have all of the following items complete before proceeding with this tutorial.
Deploy a new RCS One-Click LAMP app (Ubuntu 18.04).
Add a domain to RCS DNS. This tutorial will use the domain example.com and IP address 192.0.2.123. At a minimum, assuming your server is named www, your DNS will look like this:
Enable your RCS API key.
Allow the IP address of your server in the API access control.
SSH to your server as root.
Update the server, following the RCS best practices guide.
Install Wildcard SSL with Lego
The lego installation method allows for automatic updates. Choose this method if you plan to update your certificate before it expires each 90 days automatically.
1. Install lego.
The lego version in the Ubuntu 18.04 repository is old and does not support the DNS challenge method required for wildcard DNS.
Install the latest release from GitHub.
Manually download from here:
https://github.com/go-acme/lego/releases
Or, automatically download the latest:
# curl -Ls https://api.github.com/repos/go-acme/lego/releases/latest | \ grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | \ wget -i -
Extract
lego
.# tar xf lego_v*_linux_amd64.tar.gz
Move lego to /usr/local/sbin.
# mv lego /usr/local/sbin/
Verify lego is on your path and the correct version.
# lego -v lego version 3.7.0 linux/amd64
2. Get a new certificate.
Retrieve your API Key from https://my.rcs.is/settings/#settingsapi
Create the get-cert.sh script in /usr/local/sbin.
# nano /usr/local/sbin/get-cert.sh
Paste the contents below into get-cert.sh.
Replace the example API key with your key.
Replace the example email with your address.
Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.
#!/bin/sh export RCS_API_KEY=xxxx_EXAMPLE_API_KEY_xxxx export RCS_HTTP_TIMEOUT=60 export RCS_POLLING_INTERVAL=60 export RCS_PROPAGATION_TIMEOUT=300 export RCS_TTL=300 lego --dns RCS \ --domains *.example.com \ --domains example.com \ --email admin@example.com \ --path="/etc/letsencrypt/example.com" \ --accept-tos run
Make the script executable.
# chmod +x /usr/local/sbin/get-cert.sh
Run the script.
# /usr/local/sbin/get-cert.sh
Verify the certificates were issued.
# ls -l /etc/letsencrypt/example.com/certificates/ total 16 -rw------- 1 root root 3307 May 20 14:15 _.example.com.crt -rw------- 1 root root 1648 May 20 14:15 _.example.com.issuer.crt -rw------- 1 root root 230 May 20 14:15 _.example.com.json -rw------- 1 root root 288 May 20 14:15 _.example.com.key
3. Install SSL Certificate for Apache
Archive the existing Apache certificate.
# mv /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.crt.old # mv /etc/apache2/ssl/server.key /etc/apache2/ssl/server.key.old
Link the Apache certificate to the Let's Encrypt certificate.
# ln -s /etc/letsencrypt/example.com/certificates/_.example.com.crt /etc/apache2/ssl/server.crt # ln -s /etc/letsencrypt/example.com/certificates/_.example.com.key /etc/apache2/ssl/server.key
Restart Apache.
# service apache2 restart
Navigate to your website in a browser and verify that the certificate is correct and issued to the wildcard domain name.
Set up automatic certificate renewal
Retrieve your API Key from https://my.rcs.is/settings/#settingsapi
Create the renew-cert.sh script in /usr/local/sbin.
# nano /usr/local/sbin/renew-cert.sh
Paste the contents below into renew-cert.sh.
Replace the example API key with your own.
Replace the example email address and domain names with your own.
#!/bin/sh export RCS_API_KEY=xxxx_EXAMPLE_API_KEY_xxxx export RCS_HTTP_TIMEOUT=60 export RCS_POLLING_INTERVAL=60 export RCS_PROPAGATION_TIMEOUT=300 export RCS_TTL=300 lego --dns RCS \ --domains *.example.com \ --domains example.com \ --email admin@example.com \ --path="/etc/letsencrypt/example.com" \ --accept-tos renew
Make the script executable.
# chmod +x /usr/local/sbin/renew-cert.sh
Edit the crontab.
# crontab -e
Add the following line to crontab. Adjust the schedule as needed. The following example will run at 04:05 a.m. each Monday.
5 4 * * 1 /usr/local/sbin/renew-cert.sh 2> /dev/null
Summary
You have completed wildcard SSL installation using lego. Your server will automatically check the certificate each Monday and renew the certificate before it expires.
Install Wildcard SSL with Certbot
The certbot procedure is manual. Automatic renewal with certbot is not possible with RCS DNS. If you want to renew automatically, the Lego method is preferred.
1. Install certbot
Install certbot with apt.
# apt update && apt install certbot -y
2. Request Wildcard Certificate
Run certbot with the certonly and --manual options. Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.
# certbot certonly --manual \
-d *.example.com \
-d example.com \
-m admin@example.com \
--preferred-challenges dns --agree-tos \
--no-eff-email --manual-public-ip-logging-ok
The certbot wizard will print instructions to add a TXT record to your domain's DNS. For example:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
The certbot wizard will pause at this point. Do not press ENTER until you've completed the DNS steps below.
Use a web browser to:
Navigate to your DNS provider.
Add the TXT record shown by certbot to your domain's DNS.
Test that the TXT record is propagated properly. Popular ways to test the TXT record include dig
and the dnschecker.org website. Replace example.com with your name in these examples:
To test with
dig
, open another terminal window and lookup the domain record, replacing example.com with your domain. Verify that the value returned is correct.# dig +short TXT _acme-challenge.example.com "U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914"
To use dnschecker.org, navigate to the URL, replacing example.com with your domain. Verify that the value returned is correct.
https://dnschecker.org/#TXT/_acme-challenge.example.com
In the propagation test, when you see the correct TXT record, return to the certbot wizard and press ENTER to continue. If the certificate challenge succeeds, certbot will report the location of the new certificate files.
...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
3. Install Certificate for Apache
Archive the existing Apache certificate.
# mv /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.crt.old
# mv /etc/apache2/ssl/server.key /etc/apache2/ssl/server.key.old
Link the Let's Encrypt certificate where Apache expects to find it.
# ln -s /etc/letsencrypt/live/example.com/fullchain.pem /etc/apache2/ssl/server.crt
# ln -s /etc/letsencrypt/live/example.com/privkey.pem /etc/apache2/ssl/server.key
Restart Apache.
# service apache2 restart
Using a web browser, navigate to your website, and verify the certificate is correct.
Summary
You have completed wildcard SSL installation using certbot. You will need to renew the certificate before it expires manually.