Enable Wildcard Certificate for Your HTTPS Web Server on Linux for Free

Securing web servers has never been more crucial, and one effective way to achieve this is by using wildcard certificates. These certificates simplify the management of SSL/TLS encryption for multiple subdomains under a single domain. In this guide, we will walk through the process of enabling a wildcard certificate for your web server on Linux.

We’ll cover everything from the basics of wildcard certificates to preparing your Linux environment, generating the certificate, and automating its renewal.

What is a Wildcard Certificate?

A wildcard certificate is a digital SSL/TLS certificate that secures a primary domain and all its subdomains. For instance, a wildcard certificate for *.example.com protects subdomains like www.example.com, mail.example.com, and blog.example.com. However, it does not extend to multiple levels, such as sub.blog.example.com.

This type of certificate streamlines security and reduces the complexity of managing certificates for every subdomain individually. That said, let’s move on to setting one up.

Prerequisites

Before diving into the setup process, ensure the following:

1. A Linux server with administrative privileges.
2. Certbot installed on your server.
3. Access to Cloudflare for DNS management.

Step 1: Install and Configure Certbot

Certbot is a free and open-source tool for obtaining and managing SSL/TLS certificates. Follow these steps to set it up:

Install Certbot

Use snap to install Certbot:

sudo snap install --classic certbot

Prepare the Certbot Command

To make Certbot easier to invoke, create a symbolic link:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Enable Plugin Containment

Certbot requires root access for certain plugins. Set this permission:

sudo snap set certbot trust-plugin-with-root=ok

Install the DNS Plugin

For wildcard certificates, DNS validation is mandatory. Install the Cloudflare DNS plugin:

sudo snap install certbot-dns-cloudflare

Step 2: Create a Cloudflare API Token

Cloudflare requires an API token to authenticate Certbot for DNS management. Here’s how to create it:

1. Log in to Cloudflare and navigate to the API Tokens page:
   • https://dash.cloudflare.com/profile/api-tokens
2. Click “Create Token” and choose the “Edit zone DNS” template.
3. Configure the token:
   • Permissions: Leave as default.
   • Zone Resources: Set to “Specific Zone” and select your domain.
   • Client IP Address Filtering: (Optional) Restrict access to your server’s IP.
   • TTL: Leave as default.
4. Save the Token: Once created, copy the token and store it securely in a text file.

Step 3: Create a Cloudflare Credentials File

Certbot needs a credentials file to use the Cloudflare API token. Perform the following:

1. Create a directory to store credentials:

sudo mkdir -p ~/.secrets/certbot/

1. Open a new file using a text editor, such as Vim:

sudo vim ~/.secrets/certbot/cloudflare.ini

1. Insert the following content:

# Cloudflare API token used by Certbot 
dns_cloudflare_api_token = <API-TOKEN>

1. Replace <API-TOKEN> with the token created in the previous step.
2. Save and exit Vim (:x).
3. Secure the file by restricting permissions:

sudo chmod 600 ~/.secrets/certbot/cloudflare.ini

Step 4: Request a Wildcard Certificate

Now, you are ready to generate the wildcard certificate.

Create a Script for Certificate Request

1. Open a new file for your script:

sudo vim ~/CertReq.sh

1. Add the following script:

#!/bin/bash
certbot certonly \ 
--dns-cloudflare \ 
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \ 
--dns-cloudflare-propagation-seconds 60 \ 
-d *.example.com

1. Replace example.com with your actual domain name.
2. Save the file and exit Vim (:x).
3. Make the script executable:

sudo chmod a+x ~/CertReq.sh

Run the Script

Execute the script to generate the certificate:

sudo ~/CertReq.sh

Certbot will handle DNS validation automatically through Cloudflare.

Step 5: Automate Certificate Renewal

SSL/TLS certificates have expiration dates, making renewal a critical step. Fortunately, Certbot supports automatic renewal.

Test Automatic Renewal

Run the following command to test the renewal process:

sudo certbot renew --dry-run

If the test is successful, Certbot will automatically renew your certificates before they expire.

Troubleshooting Tips

Common Errors

• Permission Denied: Ensure the Cloudflare credentials file has the correct permissions (chmod 600).
• Invalid API Token: Verify that the API token permissions and associated domain are correct.

Checking Logs

If you encounter issues, check Certbot’s logs for details:

sudo cat /var/log/letsencrypt/letsencrypt.log

Conclusion

Enabling a wildcard certificate for your Linux web server simplifies the process of securing subdomains while maintaining robust encryption. By leveraging Certbot and Cloudflare’s DNS plugin, you can automate both the issuance and renewal of certificates, ensuring uninterrupted security for your web applications.

With this guide, you’re now equipped to deploy wildcard certificates efficiently. Let’s secure the web, one domain at a time.