Codementor Events

LetsEncrypt wildcard subdomain certificates using VestaCP

Published Jan 21, 2021Last updated Feb 05, 2021
LetsEncrypt wildcard subdomain certificates using VestaCP

Introduction

Nowadays, all websites are trying to shift from HTTP to HTTPS. The reason is simple, HTTPS provides more security. But HTTPS is not new. It has been around for some time now. Why, then, the sudden surge for the shift? Because, browsers have started giving warnings when webpages containing sensitive input fields are not using HTTPS (e.g. login page).

SSL Certificates

The domain that's trying to shift to HTTPS, needs a signed SSL certificate. An SSL certificate can be self-signed or can be signed by a trusted third-party provider (recommended). Although, there are many (paid) trusted third-party providers, LetsEncrpyt is the most popular (free) provider. LetsEncrypt provides free SSL certificates valid for 3 months. The certificates can be renewed before expiry (free of cost). So once an SSL certificate is installed, the domain admin just has to keep renewing them every 3 months.

How to shift from HTTP to HTTPS?

Single subdomain SSL cert + VestaCP

VestaCP users who have a site running on a single subdomain (like www.example.com) can follow these steps:

  • Login to Vesta Control Panel
  • Go to WEB
  • Click EDIT for the domain that needs the SSL certificate
  • Select the SSL Support checkbox and then on LetsEncrypt Support
  • Click Save
  • Now access your website with https (https://www.example.com)
    VestaCP will take care of auto-renewing the SSL certificates for you.

Wildcard subdomain SSL cert + VestaCP

This gets a little trickier when users want an SSL certificate for wildcard subdomain (like *.example.com). This is required when the web application has dynamic subdomains for their clients, for example.

  • Client lorem : lorem.example.com
  • Client ipsum : ipsum.example.com
  • Client dolor : dolor.example.com

LetsEncrypt does not provide a script for auto-renewing certificates with wildcard subdomain. There's a script certbot-auto that can be setup in cron (if using Linux), that can auto-renew single domain SSL certificates. The same script can also be used to manually install and renew wildcard subdomains.

The following steps assume that the OS is Linux.

  • Get the certbot-auto utility
$ wget https://dl.eff.org/certbot-auto
  • Make it executable by all
$ chmod a+x ./certbot-auto
  • Install the wildcard subdomain SSL certificate
$ sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.example.com -d *.scm.example.com

Note: Please replace example.com with your domain.

  • You will get a message similar to this
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.scm.example.com with the following value:
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

DO NOT press Enter yet

You need to open your VPS/shared hosting control panel and create/update the mentioned DNS TXT record.

Open another terminal to verify that the DNS TXT record was successflly deployed. You can do so with

$ nslookup -type=TXT _acme-challenge.scm.example.com

You must get an output similar to this

Server: 192.XXX.XXX.XXX
Address: 192.XXX.XXX.XXX#XX

Non-authoritative answer:
_acme-challenge.scm.example.com    text = "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"
  • Now, return to the previous terminal and press Enter.
    You will get an output like so
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-06-12. To obtain a new or tweaked version of this 
certificate in the future, simply run certbot-auto again. To non-interactively 
renew *all* of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: hntps://letsencrypt.org/donate
Donating to EFF:    https://eff.org/donate-le

You have sucessfully installed the SSL certificates for the wildcard subdomain.

Configure VestaCP

You need to tell VestaCP about the newly installed certificates.

In Vesta Control Panel

  • Go to WEB > example.com > EDIT
  • Select SSL Support checkbox (DO NOT select the LetsEncrypt Support checkbox).
  • Add the keys as given below manually in Vesta Control Panel under the corresponding textarea. (you may run the following commands in terminal to see the files).
$ more /etc/letsencrypt/live/example.com/cert.pem
^ Copy contents into "SSL Certificate" field.
$ more /etc/letsencrypt/live/example.com/privkey.pem
^ Copy contents into "SSL Key" field.
$ more /etc/letsencrypt/live/example.com/chain.pem
^ Copy contents into "SSL CA / Intermediate" field.

Certificate Renewal

Wildcard subdomain certificates cannot be auto-renewed. But manual renewal is simple.

Command to renew should be exactly the same as command for certificate installation.
Example:

$ sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.example.com -d *.scm.example.com

Next, the newly generated certificate keys should reflect in the Vesta Control Panel as well.
Follow the steps mentioned in "Configure VestaCP" section.

Renewal is complete.

Discover and read more posts from Sandesh Patil
get started
post comments3Replies
Kevin Hamilton
3 years ago

Thank you for documenting the process. It seems to work very well and VestaCP is now showing the certificate as *.xyz.com, instead of xyz.com. I can go to any of the sub-domains and not get a cert error but the main domain, www.xyz.com or xyz.com now is getting a cert error. Any suggestions on how to fix it?

Sandesh Patil
3 years ago

The process should be followed only for wildcard subdomains. If you have other explicit subdomains like www or dev or mail, you need to install separate certificates for each one of them.

Kevin Hamilton
3 years ago

Thank you. I created a new cert listing xyz.com and *.xyz.com and it seems to be working now.