{"id":572,"date":"2018-11-08T17:42:50","date_gmt":"2018-11-08T16:42:50","guid":{"rendered":"http:\/\/btrnaidu.com\/?p=572"},"modified":"2018-11-08T17:43:58","modified_gmt":"2018-11-08T16:43:58","slug":"wildcard-ssl-cert-using-letsencrypt-and-acme-sh","status":"publish","type":"post","link":"https:\/\/btrnaidu.com\/index.php\/wildcard-ssl-cert-using-letsencrypt-and-acme-sh\/","title":{"rendered":"Wildcard SSL cert using letsencrypt and acme.sh"},"content":{"rendered":"\n<p>Earlier I published an article on generating wildcard ssl certs using <a href=\"https:\/\/btrnaidu.com\/index.php\/wildcard-ssl-cert-using-letsencrypt\/\">certbot-auto<\/a>.\u00a0 <\/p>\n\n\n\n<p>With the latest update of letsencrypt, auto-renew became a challenge as letsencrypt wanted to authenticate that you still own the domain by creating a TXT record in your domain.\u00a0 After a series of discussion on my issue about &#8220;<a href=\"https:\/\/community.letsencrypt.org\/t\/error-autorenew-of-cert-authenticator-plugin-that-can-do-challenges-over-dns\/76658\/17\">how to renew the certificate automatically<\/a>&#8220;, I came to know that its no more possible without writing an authenticator script.\u00a0 The authenticator script would allow an API access to my domain so that TXT records can be created automatically and allow domain verification for certbot-auto to proceed.\u00a0\u00a0<\/p>\n\n\n\n<p>My issue was even bigger.\u00a0 My domains were parked at Godaddy, DigitalOcean, CloudFlare, Google etc.\u00a0 i.e., I need to give API access to all these domain hosts.\u00a0 Therefore a different authenticator script for each.\u00a0 This was really getting challenging.\u00a0 <\/p>\n\n\n\n<p>From the discussion at community thread, I came across <a href=\"https:\/\/github.com\/Neilpang\/acme.sh\">An ACME Shell script<\/a>.\u00a0 \u00a0The interesting feature this script had was\u00a0<a href=\"https:\/\/github.com\/Neilpang\/acme.sh\/wiki\/DNS-alias-mode\">DNS alias mode<\/a>.\u00a0 \u00a0Using this mode, I can create a CNAME record at all my domains hosted at various hosts and point them to one domain hosted at CloudFlare.\u00a0 What the script will do is, using the <strong>Domain Alias mode<\/strong>, it will create TXT records in my alias domain which is parked at CloudFlare and verify my domain ownership.\u00a0 Now it needs only one authenticator script to validate all my domain and that is of CloudFlare.\u00a0 Thank you for this input to letsencrypt community forum.\u00a0 <\/p>\n\n\n\n<p>Here I describe the steps how I achieved this using ACME Shell script.\u00a0 I love docker.\u00a0 So used the <a href=\"https:\/\/github.com\/Neilpang\/acme.sh\/wiki\/Run-acme.sh-in-docker\">ACME&#8217;s docker<\/a> to generate the cert.\u00a0\u00a0<\/p>\n\n\n\n<p>Start with creating the ACME&#8217;s docker:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ docker run -itd -v \"$(pwd)\/out\":\/acme.sh --net=host --name=acme.sh neilpang\/acme.sh daemon<br><\/pre>\n\n\n\n<p>This will start your container with name <em>acme.sh<\/em>.\u00a0 Next step is to get an API key for your account at CloudFlare.\u00a0 Follow the <a href=\"https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/200167836-Where-do-I-find-my-Cloudflare-API-key-\">link<\/a> to achieve the same.\u00a0 Once you have the API key, you need to modify the pre-supplied authenticator scrip with your CloudFlare&#8217;s credentials.\u00a0 As the container is build with <strong>alpine<\/strong>, it has very basic features.\u00a0 So editing the authenticator scrip was not very easy.\u00a0 I used <strong>sed<\/strong> to perform this job.\u00a0 <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ docker exec acme.sh sed -i.bak 's\/#CF_Email=\"xxxx@sss.com\"\/CF_Email=\"<strong>your-cloudflare-account-email-address<\/strong>\"\/' \/root\/.acme.sh\/dnsapi\/dns_cf.sh\u00a0\u00a0<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">$ docker exec acme.sh sed -i.bak 's\/#CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"\/CF_Key=\"<strong>your-cloudflare-api-key<\/strong>\"\/' \/root\/.acme.sh\/dnsapi\/dns_cf.sh<\/pre>\n\n\n\n<p>Do not forget to substitute\u00a0<strong>your-cloudflare-account-email-address<\/strong>\u00a0and\u00a0<strong>your-cloudflare-api-key<\/strong> with your own credentials before running the next command.\u00a0 Once done, the one last command will generate the wild card cert for you.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ docker exec acme.sh --issue -d *.domain.com --challenge-alias domain-parked-at-cloudflare.com --dns dns_cf<\/pre>\n\n\n\n<p>Here the <em><strong>dns_cf<\/strong><\/em> tells the script to use authenticator script for <strong>C<\/strong>loud<strong>F<\/strong>lare.\u00a0<\/p>\n\n\n\n<p>That&#8217;s all.\u00a0 If all is fine then you should have your new wildcard cert placed in your <strong>.\/out<\/strong> directory.\u00a0 Deploy the cert on your webserver and restart.\u00a0\u00a0<\/p>\n\n\n\n<p>My next post will be on how I auto-renewed the certs so that they don&#8217;t expire.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier I published an article on generating wildcard ssl certs using certbot-auto.\u00a0 With the latest update of letsencrypt, auto-renew became a challenge as letsencrypt wanted to authenticate that you still own the domain by creating a TXT record in your domain.\u00a0 After a series of discussion on my issue about &#8220;how to renew the certificate &hellip; <a href=\"https:\/\/btrnaidu.com\/index.php\/wildcard-ssl-cert-using-letsencrypt-and-acme-sh\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Wildcard SSL cert using letsencrypt and acme.sh<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[140],"tags":[165,187,141],"class_list":["post-572","post","type-post","status-publish","format-standard","hentry","category-letsencrypt","tag-ssl","tag-cert","tag-letsencrypt"],"_links":{"self":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/comments?post=572"}],"version-history":[{"count":3,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts\/572\/revisions"}],"predecessor-version":[{"id":584,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts\/572\/revisions\/584"}],"wp:attachment":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/media?parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/categories?post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/tags?post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}