In one of the previous posts I wrote about getting free certificates for the website using Let’s Encrypt and Certbot. Hope that article was helpful and helped you to save some money on SSL, but one topic remained not covered in that post. What if you’re a lucky owner of a whole domain and you want to get a single wildcard certificate for all your websites in that domain? Running the same webroot strategy won’t work, because it can only prove that you own once specific website, not the whole domain. What do you do in this situation?
Fortunately, certbot provides ton of other strategies and some of them are suitable for getting wildcard certificates as well. You can find the full list of strategies here: https://certbot.eff.org/docs/using.html#dns-plugins.
As you can read in Certbot’s documentation, in order to prove your ownership of the whole domain you need to alter a DNS record for that domain. In this post I’ll focus only on one specific strategy called certbot-dns-cloudflare, but it will give you a good understanding how other DNS strategies work. Why Cloudflare? Two reasons:
– It’s the #2 DNS provider in the world at the moment (https://www.datanyze.com/market-share/dns–4)
– Unlike #1 (Godaddy) it’s not a rip-off and it’s much cheaper. GoDaddy has interesting discounts for the first year, but even then these dicounts typically do not beat Cloudflare’s prices. Currently Cloudflare charges $ 8.03 for a .com domain and Godaddy charges $11.99 for the same for the first year only. After the first year Godaddy starts charging $17.99/year while Cloudflare will keep charging you the same $8.03 more or less.
– GoDaddy’s UI is a highly confusing monstrosity and they keep changing it all the time, just in case if someone figured out how to do things in their UI, so that the people won’t get too comfortable with it.
– among other major DNS registrars GoDaddy is, possibly, the only API-unfriendly exception, they do not have a good integration with Certbot (though some workarounds are possible).
– and besides all that GoDaddy is a terrible name, their marketing only stopped being offensive and somewhat misogynistic just recently and they are focused on their profits, not user’s convenience in my humble opinion. You may or may not agree with all these points, but I’m just expressing my personal opinion about these two companies, so you have it.
Bottom line: there is absolutely no reason for using inferior GoDaddy offerings in 2020 when there is cheaper, better and a lot more user-friendly Cloudflare.
Anyway, back to the free SSL. Here is the command you need to issue in order to get the certificates (assuming that you have docker engine running on your computer). Don’t run it yet, finish reading this page, but let’s look at it:
CERT_DIR=/data/ssl/cert
CONFIG_FILE=/data/ssl/config.ini
EMAIL=youremail@example.com
DOMAIN=*.example.com
docker run -it --rm --name certbot -v ${CONFIG_FILE}:/config.ini:ro -v ${CERT_DIR}:/etc/letsencrypt certbot/dns-cloudflare certonly --dns-cloudflare --dns-cloudflare-credentials /config.ini --email ${EMAIL} -d ${DOMAIN} -n --agree-tos
# if you're running nginx in a docker container, then ask it to re-read the config:
docker exec nginx /usr/bin/killall -HUP nginx
Let’s see what’s in this command:
- First, we define a bunch of variables that will be used in the command (I extracted parameters into variables for your convenience):
- CERT_DIR – this is the directory where the resulting certificate will be placed. More specifically, after this command is done, Certbot will create ${CERT_DIR}/<domain_without_*>/live directory that will contain the issued certificate and some helpful information in the README files
- CONFIG_FILE – this is the file containing the cloudflare token to make the updates to the DNS record (more on this later)
- EMAIL – similar to the command from the previous post – your email where you will receive the notifications about the domain renewals
- DOMAIN – the domain you’re getting the certificate for
- The rest are the arguments for the certbot that configure the magic:
- certonly – means that you want to obtain the certificate (rather than obtain and install it)
- –dns-cloudflare – tells certbot that you want to use the dns-cloudflare plugin to authenenticate
- –dns-cloudflare-credentials tells certbot where to find the Cloudflare token (relative to the running container), more on this later
- -n –agree-tos – these two arguments will make the command without asking you questions (in a non-interactive mode assuming that you agreed with the terms of service)
- Finally, since we (re)generated the certificate, we need to ask nginx to re-read the config. The last command does just that
One last thing remaining before you run the commands above is creating the file containing the Cloudflare API token. In order to get the token do the following:
- login into your Cloudflare account
- go to the domain overview page (any domain, not necessarily the one you’re going to get the certificate for)
- In the right sidebar click “Get your API token”
- On the new page click “Create Token”
- Ignore the templates and just click “Create Custom Token” -> “Get Started” below the list of the available templates
- This will bring you to the page where you need to configure the token as following:
- Token Name – give it a good name so that later you can understand why did you create this token 5 years ago
- Permissions – select the following permissions:
- Zone : DNS : Edit
- Zone : Zone : Read
- Zone Resources – select Include : Specific Zone: <your domain name>
- IP Address Filtering – optional, but highly recommended for security reasons, enter the IP address from which you will be running the certbot command. The IP needs to be static and it has to be the public IP address of your server. If you will decide to enter this value and enter it incorrectly, then when you will run the certbot command you will see an error message with the correct IP address. You will be able to edit the token configuration and fix the IP address.
That’s it for this page, click “Continue to Summary”. On the new page review the token parameters for correctness and click “Create Token”. This will bring you to the page where you will be able to copy the token.
Now return back to your server and let’s create that config.ini file. It should look like this:
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = <your Cloudflare token>
The first line is just a comment that will help you to understand what this file is used for and the second line defines the actual token. Paste your token from the Cloudflare page here.
Finally, don’t forget to put a script running these commands into the crontab. The certificate you just got will only last for 90 days, so rerunning this command (and forcing the web server to re-read the certificate) will ensure that it will get renewed automatically.
That’s it! Once you run the commands listed above it will obtain your wildcard certificates and store them in the $CERT_DIR. Now you need to edit your webserver, point it to the certificates and restart (or force it to re-read the config files as shown above). Congrats, you just saved ton of money. The cheapest wildcard certificate at the moment costs $38.88/yr (when you pay for 4 years in advance on ssls.com) and you just got it for free :)