Wildcard SSL certificate

Linux

Self-generated certificate is good for bootstrapping purpose but sooner than later we need a valid SSL certificate for all services (IMAPS, HTTPS, DoT etc).

1. Install

  pacman -S certbot certbot-nginx

2.1 Manual generation

Init the certificate generation

  certbot certonly --manual -d "*.costan.ro" -d "costan.ro"

The above tool spits out a DNS challenge that we need to set as a DNS TXT record.

Set the DNS TXT record

It depends on your DNS provider but usually is as simple as adding a new record.

  grep acme /etc/nsd/zones/costan.ro
_acme-challenge                       IN  TXT     "PDFYVU1v3Jlo6Yeo50-LHiokC8PwNeZl_-FCz13CKPs"

Check using local DNS server first (mind @ns.costan.ro local DNS server at the end)

  dig +short TXT _acme-challenge.costan.ro @ns.costan.ro
PDFYVU1v3Jlo6Yeo50-LHiokC8PwNeZl_-FCz13CKPs

Wait for DNS propagation and check using public (or default) DNS server. This "wait" part is important otherwise LetsEncrypt won't be able to resolve the DNS challenge and SSL generation process will fail.

  dig +short TXT _acme-challenge.costan.ro @8.8.8.8
PDFYVU1v3Jlo6Yeo50-LHiokC8PwNeZl_-FCz13CKPs

Finish the certificate generation

Once the DNS TXT change is propagated press "ENTER" and certbot tool will generate all certificate files.

List the certificate

  certbot certificates

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: costan.ro
    Serial Number: 4f6208230dcfb39f339295c19a5eb7781fa
    Key Type: ECDSA
    Domains: *.costan.ro
    Expiry Date: 2023-03-19 12:40:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/costan.ro/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/costan.ro/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Usage

Change configuration files for all public services (Postfix, Dovecot, Nsd, etc) and point to newly generated fullchain.pem and privkey.pem files.

  postconf -n | grep -E "smtpd_tls_.*_file"
smtpd_tls_cert_file = /etc/letsencrypt/live/costan.ro/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/costan.ro/privkey.pem
  doveconf ssl_cert ssl_key
ssl_cert = </etc/letsencrypt/live/costan.ro/fullchain.pem
ssl_key = </etc/letsencrypt/live/costan.ro/privkey.pem

Checker

And last, check installed SSL cert using an SSLlabs online checker or openssl tool.

  openssl s_client -connect www.costan.ro:443

Renew

Unfortunately, for manual generated certificate there is no way to renew, we can only execute the whole manual process again and generate new certificate.

2.2 Automated generation

TBD: in 3 months, before the expiry date above.

comments powered by Disqus