Jan 13, 2020
15 minute read
Generate wildcard SSL certificate with engineyard interation
First, we are going to generate a wildcard SSL certificate for our domain and then will see the process of integrating that certificate in engineyard.Â
First, let’s see the brief about terms we are going to use in this blog
What is SSL and why it is used?
SSL certificates are used to create an encrypted channel between the client and the server. Transmission of such data as credit card details, account login information, any other sensitive information has to be encrypted to prevent eavesdropping.
What is a wildcard certificate?
A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. … Secure Sockets Layer (SSL) certificates often use wildcards to extend SSL encryption to subdomains. A conventional SSL certificate works on a single domain
Why Let's Encrypt?
Let’s Encrypt is a free, automated, and open Certificate Authority. That means you do not need to pay charges for SSL Certificate
Let’s start step by step process to create our wildcard certificate.
Step 1:Â First you need to ssh login to your server
ssh <user>@<server_address | ip_address>
Step 2: Â Once you are logged in to your server you need to install certbot to process furtherÂ
- Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.
sudo add-apt-repository ppa:certbot/certbot
- Update packages using the below command.
sudo apt update
- Run below command to install certbot
sudo apt install certbot
- Check certbot which certboat is installed with below command
apt-cache policy certbot | grep -i Installed
Step 3:Â Now as we have certbot installed on our server we are able to generate a certificate , use below command to generate a wildcard certificate
sudo certbot certonly --manual -d *.<your_domain> -d <your_domain> --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server
https://acme-v02.api.letsencrypt.org/directory
Here you need to replace <your_domain> with your original domain. For eg: xyz.com. In the process we have –preferred-challenges dns-01 there are other options available if you want to try go to reference https://letsencrypt.org/docs/challenge-types/Â
Step 4:Â In this process, you will be asked to add TXT Record in your DNS.
- For that, you need to login to your DNS(Domain Provider like Bigrock, GoDaddy and more) account.
- Then find DNS records management panel, this depends on your domain provider system.
- Add TXT records given in the last step like below
Name: <your_domain>
Value: _acme-challenge=<value_generated_by_above_command>
- You can test whether TXT Records Added on DNS or not on =>Â https://mxtoolbox.com/
- You need to follow this process two times. it will verify that you are the owner of the domain which you claim or acting as owner and then it will generate certificates for your domain with a validity of 3 months
Step 5:Â Add Certificates to your engine yard
- Login to your engine yard account
- From tools dropdown select SSL certificate
- Click button named and Add SSL Certificate
- Add Name for your certificate so you can identify.
- Select radio button named ‘Upload SSL Certificate’
- In SSL Certificate Text Area add the certificate from a file generated in the last step named Fullchain.pemÂ
View content of that file with below command [ in ssh logged in terminal ]
sudo cat /etc/letsencrypt/live/unimedliving.com/fullchain.pem
In SSL Certificate Key Text Area add the certificate from a file generated in the last step named privkey.pem
View content of that file with below command [ in ssh logged in terminal ]
sudo cat /etc/letsencrypt/live/unimedliving.com/privkey.pem
Finally, Click on add certificate it will take some time to appear this certificate for the selection.
You have added a certificate in your engine yard now you need to assign that certificate to your web app.
Go to the Dashboard of engine yardÂ
Select the app in which you want to assign SSL CertificateÂ
In SSL section you can see the option called ‘Assign SSL Certificate to <your app>’
From SSL Certificate dropdown select the certificate you named uniquely.
Then click on update SSL Settings
All things are set and done now you only need to click ‘Apply’ button
After your changes applied to your environment you can check that your app is now SSL Protected.
You can perform SSL test on ->Â https://www.whynopadlock.com/
You can use the same process for renewing your certificate after 90 days. If you use single domain SSL you can make this process automated by adding the script, but for wildcard domains, you can not perform automated process because it requires DNS Challenge to perform, in future there might be a way to do these challenges automated as well. We will update our blog if such a technique developed. Â
If you face any difficulties in following the above process, comment on the blog we will be happy to help. Thank you!
