Sunday, July 21, 2019

Generate wildcard certificate with Let's Encrypt/Certbot and install on GoDaddy, cPanel.

Why there is a need for an SSL certificate?

SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world's computer networks. The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it.

If you don't have SSL then google-chrome or any browser will flag your website as Not-Secure which means, if you do any kind of transaction then there is a high chance that your data will be compromised.



In this blog, I'm going to generate one wild-card certificate for my blog site, ashishtiwari.me. A WildCard certificate can be used with subdomain as well, for example -
blog.ashishtiwari.me, contact.ashishtiwari.me, tech.ashishtiwari.me

1. Set up your machine to generate the SSL certificate [ Ubuntu ]. 

apt-get update
apt-get install git-core

2. Install Let's Encrypt/Certbot 

apt-get install letsencrypt

3. Generate SSL certificate using Certbot 

Now with the help of Certbot, we will generate wildcard certificate for our test domain ashishtiwari.me

certbot-auto certonly --manual --preferred-challenges=dns --email writetoashishtiwari@gmail.com
--server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.ashishtiwari.me

4. Setup DNS TXT record to authenticate Ownership.

For wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.

After executing the above command, the Certbot will share a text record to add to your DNS TXT field.


Please deploy a DNS TXT record under the name

_acme-challenge.ashishtiwari.me with the following value:
iroa8XXXhpTah-h4Az4UZuuXslHCdkxIuDiL2XXXv2Y

Create TXT record via DNS console and setup key and value

TXT Record Name  :  _acme-challenge
TXT Record Value  :  iroa8XXXhpTah-h4Az4UZuuXslHCdkxIuDiL2XXXv2Y

4. Finally, Generate the Certificate.

Once you authenticate the domain ownership; by setting up DNS TXT record, Certbot generates the ssl certificate and required keys [ PEM/CERTIFICATE ].


IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ashishtiwari.me/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ashishtiwari.me/privkey.pem

    Your cert will expire on 2019-10-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"

  - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

5. Complete Logs.

Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ashishtiwari.me
dns-01 challenge for ashishtiwari.me

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name

_acme-challenge.ashishtiwari.me with the following value:
iroa8XXXhpTah-h4Az4UZuuXslHCdkxIuDiL2XXXv2Y

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.ashishtiwari.me with the following value:
V781k3nW6GaSdpyfbTYJBJpt1IJYBehMQa1je2gFg3Q
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ashishtiwari.me/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ashishtiwari.me/privkey.pem
    Your cert will expire on 2019-10-14. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

6. Install SSL on cPanel.
Share:
Location: Mumbai, Maharashtra, India

0 comments:

Post a Comment