How to get Let’s Encrypt wildcard certificate using acme.sh

5
(2)

Preparation


To obtain and install a Wildcard certificate, we will use the ACME.sh utility, which supports Let’s Encrypt out of the box.

Connect via SSH to your server and run the following commands:

curl https://get.acme.sh | sh

You will see a success message and the .acme.sh folder will appear in your home directory

root@server:~# curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0  16125      0 --:--:-- --:--:-- --:--:-- 16380
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  216k  100  216k    0     0  4326k      0 --:--:-- --:--:-- --:--:-- 4326k
[Wed 15 Nov 2023 10:12:34 AM EET] Installing from online archive.
[Wed 15 Nov 2023 10:12:34 AM EET] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Wed 15 Nov 2023 10:12:35 AM EET] Extracting master.tar.gz
[Wed 15 Nov 2023 10:12:35 AM EET] Installing to /root/.acme.sh
[Wed 15 Nov 2023 10:12:35 AM EET] Installed to /root/.acme.sh/acme.sh
[Wed 15 Nov 2023 10:12:35 AM EET] Installing alias to '/root/.bashrc'
[Wed 15 Nov 2023 10:12:35 AM EET] OK, Close and reopen your terminal to start using acme.sh
[Wed 15 Nov 2023 10:12:35 AM EET] Installing cron job
no crontab for root
no crontab for root
[Wed 15 Nov 2023 10:12:35 AM EET] Good, bash is found, so change the shebang to use bash as preferred.
[Wed 15 Nov 2023 10:12:36 AM EET] OK
[Wed 15 Nov 2023 10:12:36 AM EET] Install success!

Next you need to register an account for ZeroSSL

root@server:~/.acme.sh# ./acme.sh --register-account -m [email protected]

[Wed 15 Nov 2023 10:17:52 AM EET] No EAB credentials found for ZeroSSL, let’s get one
[Wed 15 Nov 2023 10:17:53 AM EET] Registering account: https://acme.zerossl.com/v2/DV90
[Wed 15 Nov 2023 10:18:14 AM EET] Registered
[Wed 15 Nov 2023 10:18:14 AM EET] ACCOUNT_THUMBPRINT=’………………………………………..’

Now let’s create an application for a certificate

root@server:~/.acme.sh# ./acme.sh --issue -d example.com -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Output like:

[Wed 15 Nov 2023 10:18:20 AM EET] Using CA: https://acme.zerossl.com/v2/DV90
[Wed 15 Nov 2023 10:18:20 AM EET] Creating domain key
[Wed 15 Nov 2023 10:18:20 AM EET] The domain key is here: /root/.acme.sh/example.com_ecc/example.com.key
[Wed 15 Nov 2023 10:18:20 AM EET] Multi domain='DNS:example.com,DNS:*.example.com'
[Wed 15 Nov 2023 10:18:20 AM EET] Getting domain auth token for each domain
[Wed 15 Nov 2023 10:19:31 AM EET] Getting webroot for domain='example.com'
[Wed 15 Nov 2023 10:19:31 AM EET] Getting webroot for domain='*.example.com'
[Wed 15 Nov 2023 10:19:32 AM EET] Add the following TXT record:
[Wed 15 Nov 2023 10:19:32 AM EET] Domain: '_acme-challenge.example.com'
[Wed 15 Nov 2023 10:19:32 AM EET] TXT value: '_QY3s2nbgTfAU_mdrwZHzVAk-NmXBzWYSrAR0gk7eQM'
[Wed 15 Nov 2023 10:19:32 AM EET] Please be aware that you prepend _acme-challenge. before your domain
[Wed 15 Nov 2023 10:19:32 AM EET] so the resulting subdomain will be: _acme-challenge.example.com
[Wed 15 Nov 2023 10:19:32 AM EET] Add the following TXT record:
[Wed 15 Nov 2023 10:19:32 AM EET] Domain: '_acme-challenge.example.com'
[Wed 15 Nov 2023 10:19:32 AM EET] TXT value: '1HVmv-vynO5CKFD8-QN_I8eRweF9XNFo1q4KaG-Y-_0'
[Wed 15 Nov 2023 10:19:32 AM EET] Please be aware that you prepend _acme-challenge. before your domain
[Wed 15 Nov 2023 10:19:32 AM EET] so the resulting subdomain will be: _acme-challenge.example.com
[Wed 15 Nov 2023 10:19:32 AM EET] Please add the TXT records to the domains, and re-run with --renew.
[Wed 15 Nov 2023 10:19:32 AM EET] Please add '--debug' or '--log' to check more details.
[Wed 15 Nov 2023 10:19:32 AM EET] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Setting DNS records


Now you need to find the DNS record control panel of your hosting provider and add the required record there.

For example GoDaddy

Check out GoDaddy’s Domain Portfolio.
Select a screenshot that displays an icon with three icons for selecting domain editing options. Domain editing options from your domain and select Edit DNS. You may need to scroll down to edit DNS.

Select Add new entry.

Select TXT from the Type menu.

Enter the details of your new TXT entry:

Name: _acme-challenge.example.com

Value: _QY3s2nbgTfAU_mdrwZHzVAk-NmXBzWYSrAR0gk7eQM

Note: In example output above 2 DNS records with the same name. Therefore, you need to make 2 identical records but with different values

Name: _acme-challenge.example.com

Value: 1HVmv-vynO5CKFD8-QN_I8eRweF9XNFo1q4KaG-Y-_0

Click Save to add a new entry.

Once you have added the TXT record, run the following command:

root@server:~/.acme.sh# ./acme.sh --renew -d example.com -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Output like:

[Wed 15 Nov 2023 10:24:12 AM EET] The domain 'example.com' seems to have a ECC cert already, lets use ecc cert.
[Wed 15 Nov 2023 10:24:12 AM EET] Renew: 'example.com'
[Wed 15 Nov 2023 10:24:12 AM EET] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Wed 15 Nov 2023 10:24:13 AM EET] Using CA: https://acme.zerossl.com/v2/DV90
[Wed 15 Nov 2023 10:24:13 AM EET] Multi domain='DNS:example.com,DNS:*.example.com'
[Wed 15 Nov 2023 10:24:13 AM EET] Getting domain auth token for each domain
[Wed 15 Nov 2023 10:24:13 AM EET] Verifying: example.com
[Wed 15 Nov 2023 10:24:14 AM EET] Processing, The CA is processing your order, please just wait. (1/30)
[Wed 15 Nov 2023 10:24:18 AM EET] Success
[Wed 15 Nov 2023 10:24:18 AM EET] Verifying: *.example.com
[Wed 15 Nov 2023 10:24:31 AM EET] Processing, The CA is processing your order, please just wait. (1/30)
[Wed 15 Nov 2023 10:24:47 AM EET] Success
[Wed 15 Nov 2023 10:24:47 AM EET] Verify finished, start to sign.
[Wed 15 Nov 2023 10:24:47 AM EET] Lets finalize the order.
[Wed 15 Nov 2023 10:24:47 AM EET] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/m-VCTRPJqXDDtBsVb1ws0g/finalize'
[Wed 15 Nov 2023 10:25:03 AM EET] Order status is processing, lets sleep and retry.
[Wed 15 Nov 2023 10:25:03 AM EET] Retry after: 15
[Wed 15 Nov 2023 10:25:19 AM EET] Polling order status: https://acme.zerossl.com/v2/DV90/order/m-VCTRPJqXDDtBsVb1ws0g
[Wed 15 Nov 2023 10:25:38 AM EET] Order status is processing, lets sleep and retry.
[Wed 15 Nov 2023 10:25:38 AM EET] Retry after: 15
....
[Wed 15 Nov 2023 10:30:20 AM EET] Polling order status: https://acme.zerossl.com/v2/DV90/order/m-VCTRPJqXDDtBsVb1ws0g
[Wed 15 Nov 2023 10:30:51 AM EET] Downloading cert.
[Wed 15 Nov 2023 10:30:51 AM EET] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/KtVem_uK9H-Rz_mkyM_EkQ'
[Wed 15 Nov 2023 10:30:51 AM EET] Cert success.
-----BEGIN CERTIFICATE-----
there certificate data
-----END CERTIFICATE-----
[Wed 15 Nov 2023 10:30:51 AM EET] Your cert is in: /root/.acme.sh/example.com_ecc/vpharm.com.ua.cer
[Wed 15 Nov 2023 10:30:51 AM EET] Your cert key is in: /root/.acme.sh/example.com_ecc/vpharm.com.ua.key
[Wed 15 Nov 2023 10:30:51 AM EET] The intermediate CA cert is in: /root/.acme.sh/example.com_ecc/ca.cer
[Wed 15 Nov 2023 10:30:51 AM EET] And the full chain certs is there: /root/.acme.sh/example.com_ecc/fullchain.cer

All done.

Let’s sum it up
Using the Let’s Encrypt service and the acme.sh or certbot utilities, you can quickly and easily obtain a free Wildcard SSL certificate for all your domains and their subdomains. The certificate will be valid for three months, however, it will not be difficult to renew it by following our instructions.

Similar Posts:

422

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top