I recently created a new site on Acquia’s hosting platform, and of course, had to install an SSL certificate. Because I anticipate the addition of several subdomains in the future, I wanted to simplify things by creating a single certificate that would cover each of these with the fewest headaches. The trouble is, wildcard certs are expensive: Spending over $200 on what amounts to the most basic security requirement for any website seems way, way out of line, especially for my own private vanity project.
So I decided to do the frugal thing and generate a free cert from Letsencrypt.org. For anyone unfamiliar with Let’s Encrypt, it’s a service provided by the Internet Security Research Group. This non-profit believes encryption should be attainable and affordable for anyone online, and they’ve provided over a billion free certs since their creation in 2016.
While Lets Encrypt certificates are functionally the same as paid certificates, there is a small catch:These certs expire after only 90 days. While it’s possible to run routines to automatically update these records, many hosts, including Acquia, don’t allow for automated renewals since this is a potential security risk on the server level.
Fortunately, creating, renewing and installing a Let’s Encrypt Wildcard certification Acquia turns out to be even easier than installing a single-domain cert as described in the platform’s own documentation. This is so easy, in fact, that periodically updating my SSL certs is just going to be a regular part of my routine web housekeeping.
Letsencrypt.org provides an easy mechanism for you to generate your own cost-free certs. The simplified version of this process is to install a program called “Certbot” on your local machine, run a few terminal commands and then update your domain records with a string of text that Certbot generates.
When Certbot finishes, it creates certificates on your local machine that you just copy and paste into your Acquia dashboard. Activate the certs like you would any other Acquia SSL certificate, and you’ll suddenly see a lock icon on your browser whenever you visit your site or its subdomains.
Really, that’s all there is to it: Since the certificate is validated at the DNS level, you don’t need to create any additional directories in your deployments. You don’t have to add anything to your repos, and you don’t even have to generate a CSR on the server. I can’t think of an easier way to add encryption.
Read on for more details.
- Install Certbot: If you are on a Mac, you can use homebrew to install certbot. Just open up a terminal and run the following command:
brew install certbot
The full process of installing homebrew, or even certbot itself is beyond the scope of this article, but If you need more detailed instructions, you can find them here: https://certbot.eff.org/lets-encrypt/osx-other.html
- Next, generate your domain cert using the following commands:
sudo certbot certonly --manual --no-eff-email --agree-tos -m [email protected] -d *.example.com -d example..com --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory
A few notes on these flags: Any URL you want to protect needs its own domain flag (-d), so you’ll want to add the bare domain and the wildcard itself.
The Preferred Challenges flag tells letsencrypt that validation of the cert will happen at the DNS level, not through a special file added to our repo. That makes things much, much easier, since we’ll only need to add a single TXT record on our DNS, rather than having to generate new CSRs or new challenge directories on the server itself.
- Immediately after running that command, Certbot provides you with a long hashed string that you can add to your DNS record. It will look something like this:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
K2SYSL-DDBB83-a9HgphgvNhLp45QlMlsing.
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Before doing anything else, copy the text string, go to your DNS registrar and create a new TXT record with “_acme-challenge” as the name, and the string as the text. Wait a minute for the DNS to complete updating, then click ‘Enter’ again at your terminal.
One more thing: I am not sure how long it takes for new TXT records to propagate across the web. I use Google Domains for DNS registration, and these records updated almost immediately.
- Assuming everything worked out, you should now see something that looks like this:
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2021-03-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
As you can see, Certbot has pinged your DNS for validation, and if it found the TXT record with the matching text hash, it generated any relevant cert files in the path specified in the message. Now, you just have to take care of some housekeeping on your Acquia dashboard, and you’re all set.
- Log into the Acquia Control panel, and go to the SSL section of any environment you want to protect. In the Label field, give the record any name you’d like. For example: something like ‘Letsencrypt-[date]’.
Add the remaining records to their fields in the form. In addition to creating the fullchain.pem file and the privkey.pem file, Certbot also creates the standalone cert.pem and a standalone chain.pem file in the same directory.
Pro-tip: Rather than opening any of these files, use the cat and pbcopy copy commands to unobtrusively copy the files to your clipboard, then just paste them into the fields. In other words, add the cert to the SSL field by running:
sudo cat /etc/letsencrypt/live/example.com/cert.pem | pbcopy
Then just paste the results into the SSL field.
Run sudo cat /etc/letsencrypt/live/example.com/privkey.pem | pbcopy
And paste into the SSL Private Key field.
And finally, run
sudo cat /etc/letsencrypt/live/example.com/chain.pem | pbcopy
And paste those results into the CA intermediate certificates field.
Click ‘Install,’ then ‘activate’, and you are done. Well… not quite. Make sure to clear your varnish caches and update your .htaccess file to force redirect users to the https protocol.Now you really are ready to experience all the joys of a fully secure — and free— wildcard cert protected domain.