Mastodon

Wildcard SSL cert using letsencrypt and acme.sh

Earlier I published an article on generating wildcard ssl certs using certbot-auto

With the latest update of letsencrypt, auto-renew became a challenge as letsencrypt wanted to authenticate that you still own the domain by creating a TXT record in your domain.  After a series of discussion on my issue about “how to renew the certificate automatically“, I came to know that its no more possible without writing an authenticator script.  The authenticator script would allow an API access to my domain so that TXT records can be created automatically and allow domain verification for certbot-auto to proceed.  

My issue was even bigger.  My domains were parked at Godaddy, DigitalOcean, CloudFlare, Google etc.  i.e., I need to give API access to all these domain hosts.  Therefore a different authenticator script for each.  This was really getting challenging. 

From the discussion at community thread, I came across An ACME Shell script.   The interesting feature this script had was DNS alias mode.   Using this mode, I can create a CNAME record at all my domains hosted at various hosts and point them to one domain hosted at CloudFlare.  What the script will do is, using the Domain Alias mode, it will create TXT records in my alias domain which is parked at CloudFlare and verify my domain ownership.  Now it needs only one authenticator script to validate all my domain and that is of CloudFlare.  Thank you for this input to letsencrypt community forum. 

Here I describe the steps how I achieved this using ACME Shell script.  I love docker.  So used the ACME’s docker to generate the cert.  

Start with creating the ACME’s docker:

$ docker run -itd -v "$(pwd)/out":/acme.sh --net=host --name=acme.sh neilpang/acme.sh daemon

This will start your container with name acme.sh.  Next step is to get an API key for your account at CloudFlare.  Follow the link to achieve the same.  Once you have the API key, you need to modify the pre-supplied authenticator scrip with your CloudFlare’s credentials.  As the container is build with alpine, it has very basic features.  So editing the authenticator scrip was not very easy.  I used sed to perform this job. 

$ docker exec acme.sh sed -i.bak 's/#CF_Email="xxxx@sss.com"/CF_Email="your-cloudflare-account-email-address"/' /root/.acme.sh/dnsapi/dns_cf.sh  
$ docker exec acme.sh sed -i.bak 's/#CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"/CF_Key="your-cloudflare-api-key"/' /root/.acme.sh/dnsapi/dns_cf.sh

Do not forget to substitute your-cloudflare-account-email-address and your-cloudflare-api-key with your own credentials before running the next command.  Once done, the one last command will generate the wild card cert for you.

$ docker exec acme.sh --issue -d *.domain.com --challenge-alias domain-parked-at-cloudflare.com --dns dns_cf

Here the dns_cf tells the script to use authenticator script for CloudFlare. 

That’s all.  If all is fine then you should have your new wildcard cert placed in your ./out directory.  Deploy the cert on your webserver and restart.  

My next post will be on how I auto-renewed the certs so that they don’t expire.