Let’s Encrypt generating Wildcard SSL certificate using Certbot

Generate valid SSL certificates using Certbot cli and renewals

Basics

SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Commonly, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.

Intro

Recently, I started switching all my certificates that are soon expiring to Amazon issued ones which are automatically stored in AWS ACM. Limitation of that approach is that you can’t export such certificates. For that reason, I started using Let’s encrypt which allows me to use and store SSL certificates locally.

  • Certbot
brew install awscli
brew install certbot
$ sudo certbot --version
certbot 1.4.0
$ aws --version
aws-cli/2.0.10 Python/3.8.3 Darwin/19.5.0 botocore/2.0.0dev14

Generating The Wildcard SSL Certificate using certbot cli

At this stage you should have your certbot cli installed.

certbot certonly --manual \
--preferred-challenges=dns \
--email marcin@hotmail.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
--manual-public-ip-logging-ok \
-d “*.domain.com”
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:
SiPbTUGdqp37WnMNnG17N4qoZEVIiuO_MivrrhYmW-YBefore continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2020-09-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

Find the SSL Certificate

After your certificate is successfully generated. You can find them in the default location:

/etc/letsencrypt/live

More above folder structure and naming

All generated keys and issued certificates can be found in /etc/letsencrypt/live/${domain}. In the case of creating a SAN certificate with multiple alternative names, ${domain} is the first domain passed in via -d parameter. Rather than copying, please point your (web) server configuration directly to those files (or create symlinks). During the renewal, /etc/letsencrypt/live is updated with the latest necessary files.

Available files for each certificate

Inside that folder you will find following files:

Verify validity of SSL Certificates generated by Certbot

To do that you can run the following command:

sudo certbot certificates
Found the following certs:
Certificate Name: domain.com
Serial Number: 4c006834c40af115ed6336331bc93034c97
Domains: *.domain.com
Expiry Date: 2020-09-06 07:51:47+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com/privkey.pem
Certificate Name: domain.io
Serial Number: 318d565040c512614e31c77e938f024d256
Domains: *.domain.io
Expiry Date: 2020-09-06 06:28:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.io/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.io/privkey.pem
Certificate Name: domain.net
Serial Number: 31a5f3ecf68387f2a023758f2a7cac58b93
Domains: *.domain.net
Expiry Date: 2020-09-06 07:47:34+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.net/privkey.pem

Uploading certs to AWS ACM

Assuming you have all the files available for your generated SSL certificate, you can make use of AWS CLI to import your certificate to ACM.

aws --region eu-west-1 acm import-certificate \
--certificate "/etc/letsencrypt/live/domain.com/cert.pem" \
--private-key "/etc/letsencrypt/live/domain.com/privkey.pem" \
--certificate-chain "/etc/letsencrypt/live/domain.com/fullchain.pem"

Conclusion

Lead Software/Infrastructure/Devops Engineer and AWS Community Builder

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store