Cara Membuat Sertifikat Wildcard Let's Encrypt dengan Certbot

G. Prasetyadi Comments 609 views

Sebelum pembaruan ACME2 Let's Encrypt, setiap subdomain harus menggunakan sertifikat SSL khusus untuk subdomain tersebut. Sekarang, sebuah sertifikat wildcard (misalnya untuk *.situsku.dev), dapat digunakan untuk seluruh subdomain (misalnya developer.situsku.dev dan mail.situsku.dev).

Instalasi

Certbot mendukung wildcard certificate untuk versi 0.22 ke atas. Cek ketersediaan certbot di repository:

$ sudo apt-cache search certbot
certbot - automatically configure HTTPS using Let's Encrypt

Jika certbot tidak ditemukan (contoh pada Ubuntu), tambahkan ppa repository:

$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp1hyvak__/secring.gpg' created
gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg' created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

Update repository dan install certbot:

$ sudo apt update
$ sudo apt install certbot

Membuat Sertifikat

Sebagai contoh. saya akan menerbitkan sertifikat wildcard untuk situsku.dev.

$ sudo certbot certonly --manual -d *.situsku.dev --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Gunakan alamat email yang valid dan jawab tawaran informasi dari Electronic Frontier Foundation:

debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): admin@situsku.dev
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for situsku.dev

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.situsku.dev with the following value:

B5ip6w63GrFfASueEFZusoMsAVOF4sxVcSTwxHcoOos

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------
Press Enter to Continue

Sebelum meneruskan, catat nama record DNS TXT (text) dan nilainya (pada contoh ini _acme-challenge.situsku.dev dan B5ip6w63GrFfASueEFZ-usoMsAVOF4sxVcSTwxHcoOos). Masukkan ini pada pengaturan server (biasanya disebut "DNS Zone Editor").

Tunggu beberapa saat sampai propagasi selesai (sekitar 10-20 menit), setelah itu lanjutkan penerbitan sertifikat dengan menekan Enter.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/situsku.dev-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/situsku.dev-0001/privkey.pem
Your cert will expire on 2018-06-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"

Cek keberadaan file sertifikat dan kunci di direktori yang tertera. Untuk memperbarui sertifikat, gunakan perintah certbot renew.

information-communications-technology
linux ssl web-development