How to get a wildcard SSL certificate with letsencrypt and cloudflare on Linux server (Centos/Debian/Ubuntu)
Let's consider obtaining an SSL certificate for a domain and all subdomains through DNS validation using CloudFlare as one of the most popular DNS services
In this article, we’re exploring options to obtain an SSL certificate for a domain and all subdomains through DNS validation using CloudFlare.
What is an SSL certificate?
SSL (Secure Sockets Layer) certificates are a key element in providing a secure connection between a client and a server on the Internet. They are used for server authentication and encryption of the data transmitted between servers.
What is a wildcard SSL certificate?
A wildcard SSL certificate is a type of SSL certificate that can be used to secure multiple subdomains, indicated by a wildcard character — an asterisk (*) — in the domain name field.
How and when to use a wildcard SSL certificate?
Obtaining a wildcard SSL certificate is a way to secure an unlimited number of subdomains with a single certificate. It works with any subdomain of the primary domain name it is designed for.
Wildcard SSL is a good option in cases when you have a single domain with multiple first-level subdomains or plan adding such subdomains in the future. With a wildcard SSL certificate, you can protect all your subdomains at once.
How to get a free wildcard SSL certificate?
As you know, CloudFlare does not provide wildcard proxies and, accordingly, wildcard certificates at a free rate.
Let’s consider obtaining an SSL certificate for a domain and all subdomains through DNS validation using CloudFlare as one of the most popular DNS services.
1) Install certbot latest version
For CentOS 7
yum install epel-release -y yum install git python3 python3-pip -y
For CentOS Stream 8 +
dnf install epel-release -y dnf install git python3 python3-pip -y
For Debian/Ubuntu
apt-get update apt-get install git python3 python3-pip -y
cd /usr/src/ git clone https://github.com/certbot/certbot cd certbot/ python3 setup.py install
2) Install the DNS CloudFlare plugin
pip3 install certbot-dns-cloudflare
Check that the plugin is installed correctly
usr/local/bin/certbot plugins
We should get an output like
* dns-cloudflare ... * standalone ... * webroot ...
3) Get the API key for our CloudFlare account in the panel and write to the file
My profile – API tokens – Global API Key – View (click)
Write the details in email and API key to a file
echo dns_cloudflare_email = YourMailAccOnCF@example.com > /root/cloudflaredns echo dns_cloudflare_api_key = 3outy1zk0juw6qm80ao37ywnkl2u69fv53820 >> /root/cloudflaredns chmod 600 /root/cloudflaredns
4) Receive the certificate for the domain
DOMAIN=WildCardDomain.com
CFMAIL=YourMailAccOnCF@example.com
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d ${DOMAIN} -d "*.${DOMAIN}"
5) Will re-issue your SSL certificate every month
mkdir /root/root/sbin/
cat > /root/sbin/letsencrypt-dns-update << EOL
#!/bin/bash
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
EOL
chmod 755 /root/sbin/letsencrypt-dns-update
echo '01 01 01 * * root (sleep `shuf -i 1-10400 -n 1`s ; /root/sbin/letsencrypt-dns-update' > /etc/cron.d/letsencrypt-dns-update
You can find your SSL certificate along the path:
/etc/letsencrypt/live/WildCardDomain.com/
Ready script for certificate issuance
For CentOS 7
DOMAIN=WildCardDomain.com
CFMAIL=YourMailAccOnCF@example.com
CFAPIKEY=3outy1zk0juw6qm80ao37ywnkl2u69fv53820
yum install epel-release -y
yum install git python3 python3-pip -y
cd /usr/src/
git clone https://github.com/certbot/certbot
cd certbot/
python3 setup.py install
pip3 install certbot-dns-cloudflare
echo dns_cloudflare_email = ${CFMAIL} > /root/cloudflaredns
echo dns_cloudflare_api_key = ${CFAPIKEY} >> /root/cloudflaredns
chmod 600 /root/cloudflaredns
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
cat > /root/sbin/letsencrypt-dns-update << EOL
#!/bin/bash
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
EOL
chmod 755 /root/sbin/letsencrypt-dns-update
echo '01 01 01 * * root (sleep `shuf -i 1-10400 -n 1`s ; /root/sbin/letsencrypt-dns-update' > /etc/cron.d/letsencrypt-dns-update
tail -n 1000 /etc/letsencrypt/live/${DOMAIN}/*
For CentOS Stream 8 +
DOMAIN=WildCardDomain.com
CFMAIL=YourMailAccOnCF@example.com
CFAPIKEY=3outy1zk0juw6qm80ao37ywnkl2u69fv53820
dnf install epel-release -y
dnf install git python3 python3-pip -y
cd /usr/src/
git clone https://github.com/certbot/certbot
cd certbot/
python3 setup.py install
pip3 install certbot-dns-cloudflare
echo dns_cloudflare_email = ${CFMAIL} > /root/cloudflaredns
echo dns_cloudflare_api_key = ${CFAPIKEY} >> /root/cloudflaredns
chmod 600 /root/cloudflaredns
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
cat > /root/sbin/letsencrypt-dns-update << EOL
#!/bin/bash
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
EOL
chmod 755 /root/sbin/letsencrypt-dns-update
echo '01 01 01 * * root (sleep `shuf -i 1-10400 -n 1`s ; /root/sbin/letsencrypt-dns-update' > /etc/cron.d/letsencrypt-dns-update
tail -n 1000 /etc/letsencrypt/live/${DOMAIN}/*
For Debian/Ubuntu
DOMAIN=WildCardDomain.com
CFMAIL=YourMailAccOnCF@example.com
CFAPIKEY=3outy1zk0juw6qm80ao37ywnkl2u69fv53820
apt-get update
apt-get install git python3 python3-pip -y
cd /usr/src/
git clone https://github.com/certbot/certbot
cd certbot/
python3 setup.py install
pip3 install certbot-dns-cloudflare
echo dns_cloudflare_email = ${CFMAIL} > /root/cloudflaredns
echo dns_cloudflare_api_key = ${CFAPIKEY} >> /root/cloudflaredns
chmod 600 /root/cloudflaredns
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
cat > /root/sbin/letsencrypt-dns-update << EOL
#!/bin/bash
/usr/local/bin/certbot certonly -n -m ${CFMAIL} --agree-tos --expand --dns-cloudflare --dns-cloudflare-credentials /root/cloudflaredns --dns-cloudflare-propagation-seconds 30 -d "${DOMAIN}" -d "*.${DOMAIN}"
EOL
chmod 755 /root/sbin/letsencrypt-dns-update
echo '01 01 01 * * root (sleep `shuf -i 1-10400 -n 1`s ; /root/sbin/letsencrypt-dns-update' > /etc/cron.d/letsencrypt-dns-update
tail -n 1000 /etc/letsencrypt/live/${DOMAIN}/*
How to convert a wildcard SSL certificate to PEM?
Privacy Enhanced Mail (PEM) is one of the popular formats to store SSL certificates.
There are the following SSL certificate formats:
PEM (Privacy Enhanced Mail): This format uses Base64 encoding and can contain one or more data components such as certificates, private keys or entire trust chains. It’s a common format supported by many software applications.
DER (Distinguished Encoding Rules): This format also uses encoding, but not Base64. It is usually used in binary files such as .cer certificates.
PKCS#12 (Personal Information Exchange Syntax Standard): This format combines private keys and a trust chain in one file. It is often used to export or import keys and certificates between different software applications.
Advantages of the PEM format
- can be read by a human due to Base64 encoding
- common for various software applications and operating systems
How to convert an SSL certificate to PEM:
Example 1: Converting a certificate from DER to PEM:
openssl x509 -inform DER -in certificate.cer -out certificate.pem
Example 2: Converting a PKCS#12 file to PEM:
openssl pkcs12 -in keycert.p12 -out keycert.pem -clcerts
Example 3: Private key retrieval from PKCS#12 and converting it to PEM:
openssl pkcs12 -in keycert.p12 -nocerts -nodes -out privatekey.pem
Why convert a certificate to the PEM format?
There are several reasons to convert an SSL certificate to the PEM format. They include:
- Setting up web servers: web servers such as Apache or Nginx typically require SSL certificates in the PEM format to provide a secure connection.
- API-servers: if you’re creating an API, you can use PEM certificates for security and authentication.
- Payment processing centers: a secure SSL connection using PEM certificates is required for payment and confidential data processing.
- Electronic mail: PEM certificates can be used for message encryption and digital signatures.
