Mastodon

Wildcard SSL cert using letsencrypt and acme.sh

Earlier I published an article on generating wildcard ssl certs using certbot-auto

With the latest update of letsencrypt, auto-renew became a challenge as letsencrypt wanted to authenticate that you still own the domain by creating a TXT record in your domain.  After a series of discussion on my issue about “how to renew the certificate automatically“, I came to know that its no more possible without writing an authenticator script.  The authenticator script would allow an API access to my domain so that TXT records can be created automatically and allow domain verification for certbot-auto to proceed.  

My issue was even bigger.  My domains were parked at Godaddy, DigitalOcean, CloudFlare, Google etc.  i.e., I need to give API access to all these domain hosts.  Therefore a different authenticator script for each.  This was really getting challenging. 

From the discussion at community thread, I came across An ACME Shell script.   The interesting feature this script had was DNS alias mode.   Using this mode, I can create a CNAME record at all my domains hosted at various hosts and point them to one domain hosted at CloudFlare.  What the script will do is, using the Domain Alias mode, it will create TXT records in my alias domain which is parked at CloudFlare and verify my domain ownership.  Now it needs only one authenticator script to validate all my domain and that is of CloudFlare.  Thank you for this input to letsencrypt community forum. 

Here I describe the steps how I achieved this using ACME Shell script.  I love docker.  So used the ACME’s docker to generate the cert.  

Start with creating the ACME’s docker:

$ docker run -itd -v "$(pwd)/out":/acme.sh --net=host --name=acme.sh neilpang/acme.sh daemon

This will start your container with name acme.sh.  Next step is to get an API key for your account at CloudFlare.  Follow the link to achieve the same.  Once you have the API key, you need to modify the pre-supplied authenticator scrip with your CloudFlare’s credentials.  As the container is build with alpine, it has very basic features.  So editing the authenticator scrip was not very easy.  I used sed to perform this job. 

$ docker exec acme.sh sed -i.bak 's/#CF_Email="xxxx@sss.com"/CF_Email="your-cloudflare-account-email-address"/' /root/.acme.sh/dnsapi/dns_cf.sh  
$ docker exec acme.sh sed -i.bak 's/#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"/CF_Key="your-cloudflare-api-key"/' /root/.acme.sh/dnsapi/dns_cf.sh

Do not forget to substitute your-cloudflare-account-email-address and your-cloudflare-api-key with your own credentials before running the next command.  Once done, the one last command will generate the wild card cert for you.

$ docker exec acme.sh --issue -d *.domain.com --challenge-alias domain-parked-at-cloudflare.com --dns dns_cf

Here the dns_cf tells the script to use authenticator script for CloudFlare. 

That’s all.  If all is fine then you should have your new wildcard cert placed in your ./out directory.  Deploy the cert on your webserver and restart.  

My next post will be on how I auto-renewed the certs so that they don’t expire. 

Letsencrypt – Generating certificate and deploy on production server

I had a situation where I do not wanted to install all the libs required by LetsEncrypt on a production server.  For the mere fear of breaking the running apps.

I went on exploring how to setup a server to generate SSL certs with letsencrypt and deploy the generated certs on the production server.  Below I describe the steps with some do’s and don’t.

Continue reading Letsencrypt – Generating certificate and deploy on production server

LetsEncrypt and 301 redirect

I started using letsEncrypt for some time now for couple of my websites.  When you run letsencrypt to turn ssl on for your websites, it gives you the option to force redirect all websites to https.  Of course I opted for that.  After this, one of my wordpress hosted site broke with “too many 301 redirect errors“.  I kept on troubleshooting assuming issue with wordpress or its installed plugins.

Continue reading LetsEncrypt and 301 redirect