Cara Membuat Sertifikat Wildcard Let's Encrypt dengan Certbot
Sebelum pembaruan ACME2 Let's Encrypt, setiap subdomain harus menggunakan sertifikat SSL khusus untuk subdomain tersebut. Sekarang, sebuah sertifikat wildcard (misalnya untuk *.situsku.dev), dapat digunakan untuk seluruh subdomain (misalnya developer.situsku.dev dan mail.situsku.dev).
Instalasi
Certbot mendukung wildcard certificate untuk versi 0.22 ke atas. Cek ketersediaan certbot di repository:
$ sudo apt-cache search certbot
certbot - automatically configure HTTPS using Let's Encrypt
Jika certbot tidak ditemukan (contoh pada Ubuntu), tambahkan ppa repository:
$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmp1hyvak__/secring.gpg' created
gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg' created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
Update repository dan install certbot:
$ sudo apt update
$ sudo apt install certbot
Membuat Sertifikat
Sebagai contoh. saya akan menerbitkan sertifikat wildcard untuk situsku.dev.
$ sudo certbot certonly --manual -d *.situsku.dev --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Gunakan alamat email yang valid dan jawab tawaran informasi dari Electronic Frontier Foundation:
debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): admin@situsku.dev
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for situsku.dev
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.situsku.dev with the following value:
B5ip6w63GrFfASueEFZusoMsAVOF4sxVcSTwxHcoOos
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Sebelum meneruskan, catat nama record DNS TXT (text) dan nilainya (pada contoh ini _acme-challenge.situsku.dev
dan B5ip6w63GrFfASueEFZ-usoMsAVOF4sxVcSTwxHcoOos
). Masukkan ini pada pengaturan server (biasanya disebut "DNS Zone Editor").
Tunggu beberapa saat sampai propagasi selesai (sekitar 10-20 menit), setelah itu lanjutkan penerbitan sertifikat dengan menekan Enter.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/situsku.dev-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/situsku.dev-0001/privkey.pem
Your cert will expire on 2018-06-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
Cek keberadaan file sertifikat dan kunci di direktori yang tertera. Untuk memperbarui sertifikat, gunakan perintah certbot renew
.