SSL Letsencrypt Wildcard Cert Issue, Renew, and Best Practices

jcstudio · Feb 10, 2024

I've been trying to find the best practices around setting up and renewing Wildcard SSL certs via acme.sh but I'm not finding a clear explanation on how that can be done from within the framework (#2, #22, etc.). I was wondering if asking for *.newdomain.com from the cli using nv or #2 or #22 would be sufficient to issue a Wildcard cert that you can point other vhosts to later?

The issue that I'm seeing is that we will have www. ftp. mail. sftp. phpmyadmin. etc... and issuing a different cert for each subdomain isn't supported "in the box". I thought it could be supported with a script that allows people to define their domain and all of their subdomains which would give Letsencrypt the info needed to issue a SAN multi-domain cert or issue a Wildcard but either way it needs to be automatically renewed and how you use it should be laid out so we'll know how to point nginx vhosts to it and other applications that need it like email servers, sftp servers, etc.

If this is all explained somewhere please share the link but I couldn't find it hence the post. Thank you!

eva2000 · Feb 11, 2024

Centmin Mod's native centmin.sh menu option 2, 22, nv commands or addons/acmetool.sh for Nginx vhost setup or Wordpress install as outlined at Letsencrypt Free SSL Certificates only issue free Letsencrypt SSL certificates on a per hostname basis instead of a single wildcard for easier automation.

One reason why I went per hostname issuance is that Letsencrypt requires wildcard SSL certificates to use DNS TXT record domain validation and not usual easier domain control validation (DCV) via domain.com/.well-known/* which I can automate for.

So the average Centmin Mod user isn't going to be in a position to do domain DNS API validation via Centmin Mod's addons/acmetool.sh which uses acme.sh client and is what all centmin.sh menu option 2, 22 and nv commands use for Letsencrypt. I do have test scripts in development for a separate Letsencrypt SSL wildcard mode (mainly for Cloudflare DNS API setups) for Nginx vhost creations. But as they all required DNS API domain validation, it isn't something I have been prepared to release unless I am willing to for free hand hold each user and guide them through possible 100s of DNS provider's API configurations to automate Letsencrypt SSL wildcard issuance

Technically, Centmin Mod can manually do SSL wildcards and DNS API validation (supported via Cloudflare DNS and optionally via a few hidden settings for other domain DNS providers). Centmin Mod officially only supports Cloudflare DNS API for per hostname validations Letsencrypt Free SSL Certificates But if you know how to do it manually via underlying acme.sh used by Centmin Mod with other domain DNS provider's respective API configurations, you can technically do it for any acme.sh supported DNS providers outlined at dnsapi - 159 DNS providers currently listed. Here's an manual example of creating Centmin Mod Nginx vhost with Letsencrypt SSL Wildcard certificate using Cloudflare DNS API and manually setting up Nginx vhost changes at centmin mod wildcard letsencrypt ssl cert with cloudflare token based api. No free support is provided by me, so you'd be on your own or you can hire me for $$$

The closest you can come to multiple hostname based Letsencrypt SSL certificates is via /usr/local/src/centminmod/addons/acmetool.sh command line method outlined in thread at https://community.centminmod.com/th...ing-thread-for-centmin-mod-123-09beta01.8290/ - specifically for SANS Multi-Domain SSL Certificates which would require you to know before hand all the hostnames you want covered by the auto issued Letsencrypt SSL certificate.
eva2000 said: ↑
SANS Multi-Domain SSL Certificates

One of the extended features only available in SSH command line addons/acmetool.sh and not available in the menu mode, is support for multi-domain SAN SSL certificates. Meaning a single SSL certificate that covers more than one domain name i.e. to cover domain1.com and domain2.com.

In the context of Nginx vhost auto generation there's not much use for SAN SSL certificates as requirement for Letsencrypt SSL is for domain validation they'd have to resolve to the same public web root - so domain1.com and domain2.com will serve the same files form web root at /home/nginx/domains/domain1.com/public. Not many folks would need domain1.com and domain2.com to point to same web site unless for domain parking. Though a legit use would be if you want to cover different domain extensions to same site i.e. cover domain1.com, domain1.net, domain1.org, domain1.xyz all on the same SAN SSL certificate that point to same files from web root at /home/nginx/domains/domain1.com/public.

To do addons/acmetool.sh SAN SSL certificate, the domain names need to be passed via a comma separated list without spaces.

Example for domain1.com and domain2.com coverage. You need to specify the www for domain2.com specifically too. For the 1st domain listed, acmetool.sh automatically detects if your domain is top level or not and appends the www version of domain1.com
Code (Text):
./acmetool.sh issue domain1.com,domain2.com,www.domain2.com lived
last option flag for lived = live letsencrypt SSL certificate set as HTTPS default as outlined in 3rd post at https://centminmod.com/acmetool/

Full output of course validation failed as this was dummy domains without proper DNS setup.
Code (Text):
./acmetool.sh issue domain1.com,domain2.com,www.domain2.com lived

-----------------------------------------------------
updating acme.sh client...
-----------------------------------------------------
[Sat Aug 13 23:42:00 UTC 2016] Installing to /root/.acme.sh
[Sat Aug 13 23:42:00 UTC 2016] Installed to /root/.acme.sh/acme.sh
[Sat Aug 13 23:42:00 UTC 2016] OK, Close and reopen your terminal to start using acme.sh
[Sat Aug 13 23:42:00 UTC 2016] Installing cron job
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat Aug 13 23:42:00 UTC 2016] Good, bash is installed, change the shebang to use bash as prefered.
[Sat Aug 13 23:42:00 UTC 2016] OK
https://github.com/Neilpang/acme.sh
v2.4.0
-----------------------------------------------------
acme.sh updated
-----------------------------------------------------
domain1.com,domain2.com,www.domain2.com

-----------------------------------------------------------
issue & install letsencrypt ssl certificate for domain1.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --staging --issue -d domain1.com -d domain2.com -d www.domain2.com -d www.domain1.com -w /home/nginx/domains/domain1.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot
[Sat Aug 13 23:42:02 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Sat Aug 13 23:42:02 UTC 2016] Skip register account key
[Sat Aug 13 23:42:02 UTC 2016] Multi domain='DNS:domain2.com,DNS:www.domain2.com,DNS:www.domain1.com'
[Sat Aug 13 23:42:02 UTC 2016] Verify each domain
[Sat Aug 13 23:42:02 UTC 2016] Getting webroot for domain='domain1.com'
[Sat Aug 13 23:42:02 UTC 2016] Getting token for domain='domain1.com'
[Sat Aug 13 23:42:05 UTC 2016] Getting webroot for domain='domain2.com'
[Sat Aug 13 23:42:05 UTC 2016] Getting token for domain='domain2.com'
[Sat Aug 13 23:42:08 UTC 2016] Getting webroot for domain='www.domain2.com'
[Sat Aug 13 23:42:08 UTC 2016] Getting token for domain='www.domain2.com'
[Sat Aug 13 23:42:11 UTC 2016] Getting webroot for domain='www.domain1.com'
[Sat Aug 13 23:42:11 UTC 2016] Getting token for domain='www.domain1.com'
[Sat Aug 13 23:42:13 UTC 2016] Verifying:domain1.com
[Sat Aug 13 23:42:22 UTC 2016] domain1.com:Verify error:DNS problem: SERVFAIL looking up A for domain1.com
Click to expand...

eva2000 · Feb 11, 2024

jcstudio said: ↑

how you use it should be laid out so we'll know how to point nginx vhosts to it and other applications that need it like email servers, sftp servers, etc.
Click to expand...

Reason this hasn't come up for Centmin Mod is, that it doesn't provide smtp inbound mail servers so requiring SSL certificate that is domain validated on Centmin Mod isn't required as well. Those functions/features would usually be handled by 3rd party @domain mail providers like Google Workspace, MXRoute, Microsoft 365, Zoho Mail etc

Log in / Register

Forums

Discover Centmin Mod today

SSL Letsencrypt Wildcard Cert Issue, Renew, and Best Practices

jcstudio New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

SSL Letsencrypt Wildcard Cert Issue, Renew, and Best Practices

jcstudio New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.