Cara Membuat Sertifikat Wildcard Let's Encrypt dengan Certbot

24 Maret 2018 16:30

1163

Lihat komentar

#linux #ssl #web-development

Sebelum pembaruan ACME2 Let's Encrypt, setiap subdomain harus menggunakan sertifikat SSL khusus untuk subdomain tersebut. Sekarang, sebuah sertifikat wildcard (misalnya untuk *.situsku.dev), dapat digunakan untuk seluruh subdomain (misalnya developer.situsku.dev dan mail.situsku.dev).

Instalasi

Certbot mendukung wildcard certificate untuk versi 0.22 ke atas. Cek ketersediaan certbot di repository:

$ sudo apt-cache search certbot
certbot - automatically configure HTTPS using Let's Encrypt

Jika certbot tidak ditemukan (contoh pada Ubuntu), tambahkan ppa repository:

$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp1hyvak__/secring.gpg' created
gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg' created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

Update repository dan install certbot:

$ sudo apt update
$ sudo apt install certbot

Membuat Sertifikat

Sebagai contoh. saya akan menerbitkan sertifikat wildcard untuk situsku.dev.

$ sudo certbot certonly --manual -d *.situsku.dev --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Gunakan alamat email yang valid dan jawab tawaran informasi dari Electronic Frontier Foundation:

debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): admin@situsku.dev
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for situsku.dev

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.situsku.dev with the following value:

B5ip6w63GrFfASueEFZusoMsAVOF4sxVcSTwxHcoOos

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------
Press Enter to Continue

Sebelum meneruskan, catat nama record DNS TXT (text) dan nilainya (pada contoh ini _acme-challenge.situsku.dev dan B5ip6w63GrFfASueEFZ-usoMsAVOF4sxVcSTwxHcoOos). Masukkan ini pada pengaturan server (biasanya disebut "DNS Zone Editor").

Tunggu beberapa saat sampai propagasi selesai (sekitar 10-20 menit), setelah itu lanjutkan penerbitan sertifikat dengan menekan Enter.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/situsku.dev-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/situsku.dev-0001/privkey.pem
Your cert will expire on 2018-06-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

Cek keberadaan file sertifikat dan kunci di direktori yang tertera. Untuk memperbarui sertifikat, gunakan perintah certbot renew.