Create Wildcard SSL certificate with Let's encrypt and integrate into engineyard

Post by
author-image
Ashok Damaniya

ssl

Generate wildcard SSL certificate with engineyard interation

First, we are going to generate a wildcard SSL certificate for our domain and then will see the process of integrating that certificate in engineyard. 

First, let’s see the brief about terms we are going to use in this blog

What is SSL and why it is used?

SSL certificates are used to create an encrypted channel between the client and the server. Transmission of such data as credit card details, account login information, any other sensitive information has to be encrypted to prevent eavesdropping.

What is a wildcard certificate?

A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. ... Secure Sockets Layer (SSL) certificates often use wildcards to extend SSL encryption to subdomains. A conventional SSL certificate works on a single domain

Why Let's Encrypt?

Let's Encrypt is a free, automated, and open Certificate Authority. That means you do not need to pay charges for SSL Certificate

Let’s start step by step process to create our wildcard certificate.

Step 1: First you need to ssh login to your server 

ssh <user>@<server_address | ip_address> 

Step 2: Once you are logged in to your server you need to install certbot to process further 

  • Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.
sudo add-apt-repository ppa:certbot/certbot
  • Update packages using the below command.
sudo apt update
  • Run below command to install certbot
sudo apt install certbot
  • Check certbot which certboat is installed with below command
apt-cache policy certbot | grep -i Installed

Ref link :- https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html

Step 3: Now as we have certbot installed on our server we are able to generate a certificate , use below command to generate a wildcard certificate

sudo certbot certonly --manual -d *.<your_domain> -d <your_domain> --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server

https://acme-v02.api.letsencrypt.org/directory 

Here you need to replace <your_domain> with your original domain. For eg: xyz.com. In the process we have --preferred-challenges dns-01 there are other options available if you want to try go to reference https://letsencrypt.org/docs/challenge-types/ 

Step 4: In this process, you will be asked to add TXT Record in your DNS. 

  • For that, you need to login to your DNS(Domain Provider like Bigrock, GoDaddy and more) account.

  • Then find DNS records management panel, this depends on your domain provider system.

  • Add TXT records given in the last step like below

Name: <your_domain>

Value: _acme-challenge=<value_generated_by_above_command>

  • You need to follow this process two times. it will verify that you are the owner of the domain which you claim or acting as owner and then it will generate certificates for your domain with a validity of 3 months

Step 5: Add Certificates to your engine yard

  • Login to your engine yard account 

  • From tools dropdown select SSL certificate

  • Click button named and Add SSL Certificate

  • Add Name for your certificate so you can identify.

  • Select radio button named ‘Upload SSL Certificate’

  • In SSL Certificate Text Area add the certificate from a file generated in the last step named Fullchain.pem 

View content of that file with below command [ in ssh logged in terminal ]

sudo cat /etc/letsencrypt/live/unimedliving.com/fullchain.pem
  • In SSL Certificate Key Text Area add the certificate from a file generated in the last step named privkey.pem

View content of that file with below command [ in ssh logged in terminal ]

sudo cat /etc/letsencrypt/live/unimedliving.com/privkey.pem
  • Finally, Click on add certificate it will take some time to appear this certificate for the selection.

  • You have added a certificate in your engine yard now you need to assign that certificate to your web app.

    • Go to the Dashboard of engine yard 

    • Select the app in which you want to assign SSL Certificate 

    • In SSL section you can see the option called ‘Assign SSL Certificate to <your app>’

    • From SSL Certificate dropdown select the certificate you named uniquely.

    • Then click on update SSL Settings

  • All things are set and done now you only need to click ‘Apply’ button

 

After your changes applied to your environment you can check that your app is now SSL Protected.

You can perform SSL test on -> https://www.whynopadlock.com/

You can use the same process for renewing your certificate after 90 days. If you use single domain SSL you can make this process automated by adding the script, but for wildcard domains, you can not perform automated process because it requires DNS Challenge to perform, in future there might be a way to do these challenges automated as well. We will update our blog if such a technique developed.  

If you face any difficulties in following the above process, comment on the blog we will be happy to help. Thank you!

twitter Twit
facebook Share
googlebookmarks Mark
linkedin Share

CONTACT US

We are open for new challenges and we help you reach your goals!