A little while ago I posted about Let’s Encrypt as a method of getting SSL Certificates for free.
Recently I had a customer who wants a community website, and they want to offer “communityName.example.com” URLs.
In this post I’ll explain how I use Dehydrated to genetrated wildcard Let’s Encrypt SSL certs.
So, I have a customer who wants to build a community website, nothing new.
They want to offer their community users a custom URL specific to their name, in the form of username.example.com.
You’re going to need:
- A working Dehydrated install.
- A working Bind 9 server.
- The Bind 9 server must be authoratative for the domain.
- Some bash skillz yo.
I have a separte DNS server, and web server.
So that means I have to have a copy of the key file on both machines.
We’ll get to that ….
Generate a hmac-sha512 Key
So, we all know I’m a Debian user.
What that means, is all the Googling in the world kept pointing me to use dnssec-keygen to generate my key.
Well, dnssec-keygen isn’t around anymore. Instead tsig-keygen is our friend.
tsig-keygen is part of the bind9 package, so I’m running this command on my nameserver.
Let’s generate a key:
Don’t panic: this is not my key 😁
You’ll need to copy this into a file. I called my file letsencrypt_wildcard_key.conf and placed it in my /etc/bind directory.
Include the key in Bind9
Pretty simple. You have to tell Bind9 about your key.
So in named.conf.local
Edit the zone file to allow updates
In your domain zone, you will need to allow updates from people and/or processes using that key (so keep it secret!).
In the key file we named the key “letsencrypt_wildcard”
In the zone file we refer to: “letsencrypt_wildcard.”
Notice the period/full stop at the end?
The update policy is restrictive.
It only allows the updating of the sub domain _acme-challenge.example.com, and only it’s TXT record.
The Wildcard zone
You’ll also need a wildcard entry in your zone:
Restart Bind9 and make sure everything is tickety boo 👍.
The Wildcard hook file
So, Dehydrated uses hooks to run stuff during the certifying process.
On my webserver, in the /etc/dehydrated directory I’m going to create a new file called wildcard_hook.sh
chmod 755 /etc/dehydrated/wildcard_hook.sh
Note: This bash script uses nsupdate, which is part of the dnsutils package
So install dnsutils if you need to
Generate a cert
Here’s the exciting bit, let’s see if it works:
We’ve generated a Wildcard SSL cert !
Now in theory, you could probably cron this. I haven’t yet.
I want to keep an eye on the process.
I do, however, have a separate reporting process that keeps an eye on all my SSL certs, and emails me if one is going to expire in the next 20 days.
So, I have a backup plan for my SSL certs.
Maybe, one day I’ll blog about my SSL report?
Good luck, and Happy Secure Browsing! 😊