Adding a Wildcard SSL certificate to a DreamCompute domain

This article guides you through the process of creating a Wildcard 'Let's Encrypt' certificate on your domain hosted on DreamCompute. With this configuration, a single SSL certificate is set up on your primary domain (example.com), but all subdomains under (such as blog.example.com) it will also be able to use the certificate.

Configuring your site and instance

This article assumes you've already done the following:

If you've followed those steps, your website and its subdomains will already be resolving from the DreamCompute instance. You can now create the Wildcard certificate to use for all of those domains.

Enable mod_rewrite and ssl

Before continuing, make sure that mod_rewrite and ssl are enabled on your server. You can confirm by running the following commands:

[server]$ ls -1 /etc/apache2/mods-enabled | grep rewrite
[server]$ ls -1 /etc/apache2/mods-enabled | grep ssl

If nothing displays, enable it with the following commands:

[server]$ sudo a2enmod rewrite
[server]$ sudo a2enmod ssl
[server]$ sudo service apache2 reload

Check again and you'll see rewrite and ssl are listed.

[server]$ ls -1 /etc/apache2/mods-enabled | grep rewrite
rewrite.load
[server]$ ls -1 /etc/apache2/mods-enabled | grep ssl
ssl.conf
ssl.load

Creating the certificate

Run the following commands in order to create your Wildcard certificate.

  1. Log into your instance.
  2. Run the commands below to switch to your root user and install a Let's Encrypt certificate.

    Make sure to change 'example.com' to your actual domain name in the command below.

    [server]$ sudo -s
    root@[server]# cd /opt
    root@[server]# git clone git://github.com/certbot/certbot
    root@[server]# /opt/certbot/certbot-auto --manual -d "example.com" -d "*.example.com" --server https://acme-v02.api.letsencrypt.org/directory certonly
  3. When prompted, enter 'y' to continue the installation.
  4. You're asked to enter an email address. Enter any address, but one you have direct access to check.
  5. Enter 'A' to agree to the terms of service.
  6. Choose if you want to share your email with the Electronic Frontier Foundation.
  7. You'll finally be asked the following question:
    -------------------------------------------------------------------------------
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    -------------------------------------------------------------------------------
    (Y)es/(N)o: y
  8. Enter 'y' to continue.
  9. The next prompt will inform you of a new TXT record you must add to your domain.
    -------------------------------------------------------------------------------
    Please deploy a DNS TXT record under the name
    _acme-challenge.example.com with the following value:
    
    Tzx6GaeSJHe14C6t_M9wTBDe0s1stDMuq2Y15GLFZPE
    
    Before continuing, verify the record is deployed.
    -------------------------------------------------------------------------------

    DO NOT click the 'Enter' key yet. You must first set up this record in your DreamHost panel.

    The most simple way to do this is to click CTRL + C on your keyboard to abort the current terminal process. Next, copy the long TXT record from your terminal and paste it into your DreamHost panel.

  10. Log into your DreamHost panel and navigate to the Manage Domains page.
  11. Click the 'DNS' link under your domain.
  12. Using the information above, create a new TXT record as follows:
    Enter the following:
    • Name: — _acme-challenge
    • Type: — TXT
    • Value: — Tzx6GaeSJHe14C6t_M9wTBDe0s1stDMuq2Y15GLFZPE
    Click the Add Record Now button to save.
  13. A green 'Success!' message displays, notifying you that the record has been created. The server now requires a few minutes to update this record. Wait at least 15 minutes before proceeding, or open another terminal and run the following command to confirm the record has updated.
    user@server$ dig _acme-challenge.example.com +short txt
  14. Back in your terminal prompt, run the command again. This time, you'll are instructed to create a customized file for 'Let's Encrypt'. You'll see the following:
    Create a file containing just this data:
    
    EZdd0CuoMENyxMP20TU9QSuX0VGeqSY7vYPPHMeM5_s.l3pHZcFiLUV6rJtRaFjP3BhEM7m1CPUimJifet--_SY
    
    And make it available on your web server at this URL:
    
    http://example.com/.well-known/acme-challenge/EZdd0CuoMENyxMP20TU9QSuX0VGeqSY7vYPPHMeM5_s
    
    Press Enter to Continue
  15. Do not click the 'Enter' key yet. Open up a second terminal. In that new terminal, run the following command to create these directories:
    user@server$ sudo mkdir -p /var/www/example.com/.well-known/acme-challenge
  16. Next, create the file using 'nano'.
    user@server$ sudo nano /var/www/example.com/.well-known/acme-challenge/EQdd0CuoMENyxMP20TU9QSuX0VGeqSY7vYPPHMeM5_s
  17. Add the code mentioned above to it, then save the file.
  18. Back in your first terminal, click the 'Enter' key on your keyboard to continue. It will verify the file you just added, then again tell you to create the txt record. Since you've already created this txt record, click 'Enter' again.
    -------------------------------------------------------------------------------
    Please deploy a DNS TXT record under the name
    _acme-challenge.example.com with the following value:
    
    Tzx6GaeSJHe14C6t_M9wTBDe0s1stDMuq2Y15GLFZPE
    
    Before continuing, verify the record is deployed.
    -------------------------------------------------------------------------------
    
    Click Enter to continue
    
    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/example.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/example.com/privkey.pem
       Your cert will expire on 2018-07-14. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"

Configure your domain to use this certificate

Navigate to your /site-available directory.

root@[server]# cd /etc/apache2/sites-available

In this directory is a file named 'example.com.conf' which you already created when setting up the domain. Edit this file and add the following highlighted code. Make sure to change 'example.com' to your actual domain name.

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin admin@example.com
    DocumentRoot /home/ubuntu/example.com
    <Directory /home/ubuntu/example.com>
            AllowOverride all
            Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =example.com [OR]
    RewriteCond %{SERVER_NAME} =www.example.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

These new lines will redirect the http version of your site to https.

Next, create a new .conf file for your Let's Encrypt certificate. The name will be example.com-le-ssl.conf. Make sure to change 'example.com' to your actual domain name.

root@[server]# sudo vim example.com-le-ssl.conf

In this file add the following code.

Make sure to change 'example.com' to your actual domain name.

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin admin@example.com
    DocumentRoot /home/ubuntu/example.com

  <Directory /home/ubuntu/example.com>
    AllowOverride all
    Require all granted
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  Include /opt/certbot/certbot-apache/certbot_apache/options-ssl-apache.conf
  </VirtualHost>
</IfModule>

Make sure to enable this new file.

[user@server]$ sudo a2ensite example.com-le-ssl
Enabling site example.com-le-ssl

Finally reload your Apache service so it reads the changes.

[user@server]$ sudo service apache2 reload

Configure your subdomains to use this certificate

Make an additional files for any subdomains you wish to use this same certificate for. For example, if you want the subdomain sub1.example.com to also be protected by this Wildcard certificate, add files named sub1.example.com.conf and sub1.example.com-le-ssl.conf to the /etc/apache2/sites-available directory as shown above.

When editing the sub1.example.com-le-ssl.conf file, make sure to change 'sub1.example.com' to your actual sub.domain name, except for the last 2 lines:

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

These must continue to point to the primary domain name.

<IfModule mod_ssl.c>
  <VirtualHost _default_:443> 
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/sub1.example.com
    ErrorLog ${APACHE_LOG_DIR}/sub1.example.com-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/sub1.example.com-ssl-access.log combined  
    ServerAlias sub1.example.com
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /opt/certbot/certbot-apache/certbot_apache/options-ssl-apache.conf </VirtualHost> </IfModule>

Make sure you enable both of your subdomain's config files:

Make sure to enable this new file and default-ssl

[user@server]$ sudo a2ensite sub1.example.com.conf
[user@server]$ sudo a2ensite sub1.example.com-le-ssl
Enabling site example.com-le-ssl

Finally, reload Apache so it knows about the new configurations.

[server]$ sudo service apache2 reload

Did this article answer your questions?

Article last updated PST.