Overview
This article guides you through the process of creating a Wildcard 'Let's Encrypt' certificate on your domain hosted on DreamCompute. With this configuration, a single SSL certificate is set up on your primary domain (example.com), but all subdomains under (such as blog.example.com) it will also be able to use the certificate.
Configuring your site and instance
This article assumes you've already done the following:
- Launched an Ubuntu instance
- Added your primary website to DreamCompute (i.e., example.com)
This article assumes you've created your site in the /var/www directory and not your /home/username directory.
- Using the same steps, added any subdomains you want hosted on DreamCompute (i.e., blog.example.com)
If you've followed those steps, your website and its subdomains will already be resolving from the DreamCompute instance. You can now create the Wildcard certificate to use for all of those domains.
Enable mod_rewrite and ssl
Before continuing, make sure that mod_rewrite and ssl are enabled on your instance. You can confirm by running the following commands:
[user@instance]$ ls -1 /etc/apache2/mods-enabled | grep rewrite [user@instance]$ ls -1 /etc/apache2/mods-enabled | grep ssl
If nothing displays, enable it with the following commands:
[user@instance]$ sudo a2enmod rewrite [user@instance]$ sudo a2enmod ssl [user@instance]$ sudo systemctl reload apache2
Check again and you'll see rewrite and ssl are listed.
[user@instance]$ ls -1 /etc/apache2/mods-enabled | grep rewrite rewrite.load [user@instance]$ ls -1 /etc/apache2/mods-enabled | grep ssl ssl.conf
ssl.load
Creating the certificate
Run the following commands in order to create your Wildcard certificate.
- Log into your instance.
- Run the commands below to install a Let's Encrypt certificate.
Make sure to change example.com to your actual domain name in the command below.
[user@instance]$ sudo apt install certbot python3-certbot-apache -y
[user@instance]# sudo certbot --manual -d "example.com" -d "*.example.com" --server https://acme-v02.api.letsencrypt.org/directory certonly - When prompted, enter 'y' to continue the installation.
- You're asked to enter an email address. Enter any address, but one you have direct access to check.
- Enter 'A' to agree to the terms of service.
- Choose if you want to share your email with the Electronic Frontier Foundation.
- You'll finally be asked the following question:
------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y - Enter 'y' to continue.
- The next prompt will inform you of a new TXT record you must add to your domain.
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: Tzx6GaeSJHe14C6t_M9wTBDe0s1stDMuq2Y15GLFZPE Before continuing, verify the record is deployed. -------------------------------------------------------------------------------
DO NOT press the Enter key yet. You must first set up this record in your DreamHost panel.
The most simple way to do this is to click CTRL + C on your keyboard to abort the current terminal process. Next, copy the long TXT record from your terminal and paste it into your DreamHost panel.
- Navigate to the Manage Websites page.
- Click the Manage button to open the Manage Websites page, which allows you to adjust various settings for your site.
- Click the DNS tab at the top.
- Click the Add Record button.
- Using the information above, create a new TXT record as follows:
- Name: — _acme-challenge
- Type: — TXT
- Value: — Enter the value in step #9 above. In this example it would be: Tzx6GaeSJHe14C6t_M9wTBDe0s1stDMuq2Y15GLFZPE
- A green 'Success!' message displays, notifying you that the record has been created. The instance now requires a few minutes to update this record. Wait at least 15 minutes before proceeding or open another terminal and run the following command to confirm the record has updated:
[user@instance]$ dig _acme-challenge.example.com +short txt
- Back in your original terminal prompt, run the above command again. This time, you are instructed to create a customized file for 'Let's Encrypt'. You'll see the following:
Create a file containing just this data: EZdd0CuoMENyxMP20TU9QSuX0VGeqSY7vYPPHMeM5_s.l3pHZcFiLUV6rJtRaFjP3BhEM7m1CPUimJifet--_SY And make it available on your web server at this URL: http://example.com/.well-known/acme-challenge/EZdd0CuoMENyxMP20TU9QSuX0VGeqSY7vYPPHMeM5_s Press Enter to Continue
- Do not click the Enter key yet. Open up a second terminal. In that new terminal, run the following command to create these directories:
[user@instance]$ sudo mkdir -p /var/www/example.com/.well-known/acme-challenge
- Next, create the file using nano.
[user@instance]$ sudo nano /var/www/example.com/.well-known/acme-challenge/EQdd0CuoMENyxMP20TU9QSuX0VGeqSY7vYPPHMeM5_s
- Add the code mentioned above to it, then save the file.
- Back in your first terminal, click the 'Enter' key on your keyboard to continue. It will verify the file you just added, then again tell you to create the txt record. Since you've already created this txt record, click 'Enter' again.
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: Tzx6GaeSJHe14C6t_M9wTBDe0s1stDMuq2Y15GLFZPE Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Click Enter to continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-07-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
Configure your domain to use this certificate
Navigate to your /site-available directory.
[user@instance]$ cd /etc/apache2/sites-available
In this directory is a file named example.com.conf which you already created when setting up the domain. Edit this file and add the following highlighted code. Make sure to change example.com to your actual domain name.
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /home/ubuntu/example.com
<Directory /home/ubuntu/example.com>
AllowOverride all
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
These new lines will redirect the http version of your site to https.
Next, create a new .conf file for your Let's Encrypt certificate. The name will be example.com-le-ssl.conf. Make sure to change example.com to your actual domain name.
[user@instance]$ sudo vim example.com-le-ssl.conf
In this file add the following code.
Make sure to change example.com to your actual domain name.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /home/ubuntu/example.com
<Directory /home/ubuntu/example.com>
AllowOverride all
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
Make sure to enable this new file.
[user@instance]$ sudo a2ensite example.com-le-ssl Enabling site example.com-le-ssl
Finally, reload your Apache service so it reads the changes.
[user@instance]$ sudo systemctl reload apache2
Configure your subdomains to use this certificate
Make an additional files for any subdomains you wish to use this same certificate for. For example, if you want the subdomain sub1.example.com to also be protected by this Wildcard certificate, add files named sub1.example.com.conf and sub1.example.com-le-ssl.conf to the /etc/apache2/sites-available directory as shown above.
When editing the sub1.example.com-le-ssl.conf file, make sure to change 'sub1.example.com' to your actual sub.domain name, except for the last 2 lines:
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
These must continue to point to the primary domain name.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/sub1.example.com
ErrorLog ${APACHE_LOG_DIR}/sub1.example.com-ssl-error.log
CustomLog ${APACHE_LOG_DIR}/sub1.example.com-ssl-access.log combined
ServerAlias sub1.example.com
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
Make sure you enable both of your subdomain's config files:
Make sure to enable this new file and default-ssl
[user@instance]$ sudo a2ensite sub1.example.com.conf [user@instance]$ sudo a2ensite sub1.example.com-le-ssl Enabling site example.com-le-ssl
Finally, reload Apache so it knows about the new configurations.
[user@instance]$ sudo systemctl reload apache2
