How to Install Let’s Encrypt Wildcard Certificates on Apache 2.4

apache-2.4lets-encryptssl-certificate

I am using certbot/letsencrypt from the EPEL repository with apache on CentOS 7 without any issues on "normal" domain names. The certbot tool recognizes server name aliases from the virtualhost config files just fine. Renewal also works fine.

For example, a line in a virtualhost config such as:

ServerName uncovery.net
ServerAlias www.uncovery.net

results in certbot offering me to install/maintain the domain names

1: uncovery.net
2: www.uncovery.net

However, this line in my virtualhost config:

ServerName uncovery.net
ServerAlias *.uncovery.net

only shows

1: uncovery.net

when running certbot.

So I tried the following:

# certbot -d *.uncovery.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I tried apache/webroot/standalone authenticators, all fail.
The debug log states that

ConfigurationError: *.uncovery.net contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.

So questions:

1) How can I make the command line interface of certbot recognize the *.wildcard?

2) If that does not work, how do I manually configure the certificate?

Here is my certbot version:

Package certbot-1.0.0-1.el7.noarch already installed and latest version
Package python2-certbot-apache-1.0.0-1.el7.noarch already installed and latest version

Best Answer

This should work

certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'uncovery.net,*.uncovery.net'

Afterwards don't forget to point fullchain.pem and privkey.pem in your apache config ssl settings. usually, those located at /etc/letsencrypt/live/uncovery.net/fullchain.pem /etc/letsencrypt/live/uncovery.net/privkey.pem

if you dont change those, you will still see self-signed certificate which is the apache default self-signed ssl cert.

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

I have written a pair of how-tos for running Let's Encrypt SSL certs on CentOS: initial setup & cronning it.

And my per-domain (I use the file naming convention of z-<[sub-]domain-tld>.conf) Apache config files look like this:

<VirtualHost *:80>
ServerName domain.tld
Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

And my ssl.conf looks like this:

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup file:/dev/urandom  1024
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLCompression          off
SSLHonorCipherOrder     on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Using Let's Encrypt to get SSL certs (and get your site up to an "A" rating from SSL Labs) is pretty straight-forward - once you get past some of the arcana of the Apache configs and LE command-line arguments.

Ssl – ServerAlias without www not working on SSL virtualhost

Same here. I gave up trying to make ServerAlias on SSL host. My solution:

VirtualHost *:443
    ServerAdmin webmaster@mydomain.com
    ServerName mydomain.com
    ...
/VirtualHost
VirtualHost *:443
    ServerAdmin webmaster@mydomain.com
    ServerName www.mydomain.com
    ...//same as above
/VirtualHost

I know it's ugly, but it works - no headache.

Best Answer

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

Ssl – ServerAlias without www not working on SSL virtualhost

Related Topic