Letsencrypt wildcard SSL Beeline Tips

Handy tips and commands to get or renew wildcard DNS challenge for SSLs.

I had eagerly awaited to see this screen, congratulating on SSL that is been issued, after a couple of commands and a eager “loooong time to live” as i think of TTL as, kidding, its actually just Time To Live. Will get to it in a bit.

This is for people who are working on enabling SSL on their site, other words, moving their site from http:// to https://. So might have a basic idea of whats been mentioned repeatedly here, like, domain name, DNS, challenge records to mention a few. Wildcard domains are something like (just an example) chennai.newdomain.in, mumbai.newdomain.in, bangalore.newdomain.in. Basically anything with a dot before the base domain name.

There are many wonderful articles on medium talking about making this wildcard certificates work with Lets Encrypt and any DNS e.g. goDaddy or others we are with. All of them are very very detailed indeed.

However there are the few things i had not seen them specifying or did they imagine that as “understood”, I am not sure though. So these are the challenges i faced and figured out how to get past them.

All of these can be googled, but having them all collated in a sequence here can help finish the Beeline !!

  1. The articles say create a TXT record for acme challenge verification on the DNS (Domain Name System), to verify ownership (say goDaddy, BigRock)

The format many of them don’t specify, we have to supply “_acme-challenge” verbatim, in the host name field, don’t need to include a “dot” and that’s it. We don’t need to specify the domain name anywhere at all. The below is from BigRock, its kind of explanatory, but goDaddy does not give any clue as to whether it should start with _, have a dot, not have it, what about domain name and all.

2. The articles always say copy the value for TXT record given by certbot. We will be running certbot from a terminal screen, how to copy a specific text ? I run it on Ubuntu terminal. certbot would supply the value and wait. I can’t copy this value alone, i will copy the contents of the whole screen like in the screen below. Paste it on a editor like notepad and then take the value alone to create TXT record.

3. What TTL means in terms of wait time — Its Time To Live for TXT record, every DNS as its own lowest value goDaddy it is 600 seconds, roughly 10 mins. TTL is the time for which the value of the record live in cache on all the DNSs worldwide. But from what i saw, it is also roughly the same time it takes for the new values to propagate too. So we add a TXT record and also minimum have to wait this many sec/mins to the value to be verified by certbot. I had worked only on IST and even this min 10 mins is possible only after 9 PM IST. On my day time the time is unknown i have never successfully verified TXT record on daytime in IST. Always after 9 PM.

4. Once the TXT value is available, certbot can verify. — How do we know its available on DNS ?

We are talking about indefinite time it will take for this, so if we go and hit enter on our say, first terminal where certbot runs to verify it will fail. So I run another second terminal instance where i do issue this dig command. If there is nothing coming out, i keep repeating it, till i see the same value as in the first terminal, then hit enter on certbot screen

dig +short -t txt _acme-challenge.newdomain.in
"jwo011Etbm8mOyOdEQj4tMvrR3YLELos15PkeiVXWab"

Note : The first screen has to be kept active till then, otherwise sometimes i got into a lock (will see that in point 6). I try to shift between the 2 screens to do so.

5. Renewal for wild card domains — verify with the new TXT value from certbot. Okay, so when we renew, we come in, run certbot and have a tendency to go change the already existing TXT records value as now freshly issued by certbot.

My experience, updates don’t follow any time line, even TTL as we saw above to get cached, refreshed on all DNSs. So when i come in for renewal, delete all existing TXT records, keep the add record ready just the value left alone, fill it in as in step 4 and them save. This works for sure in a specified wait time.

6. Sometimes when the time we wait “digging” the certbot screen freezes and locks few certbot files. We cant run certbot again with this lock, first have to clear it. This command i had it googled and helped me to clear the lock

find / -type f -name “.certbot.lock” -exec rm {} \;

7. Renewal of SSLs — This is for auto renewal for regular domains, not wildcards, but thought would just mention. Its enough to have the below params in renewal config file, if we do it in standalone mode. That is we take care of restarting web server after renewal of all domains is over.

# renew_before_expiry = 30 days
version = 0.27.0
archive_dir = /etc/letsencrypt/archive/xxx.in
cert = /etc/letsencrypt/live/xxx.in/cert.pem
privkey = /etc/letsencrypt/live/xxx.in/privkey.pem
chain = /etc/letsencrypt/live/xxx.in/chain.pem
fullchain = /etc/letsencrypt/live/xxx.in/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 1192c13d426c12adea64f34277a765f1
authenticator = manual

Hope this helps somebody who is new to this world of web, servers, domains, certificates and all other associated words, as i was an year back !!