Let’s Encrypt Wildcard SSL nginx for WordPress Ubuntu 18.04

Let's Encrypt has transformed the internet. Every website can now have a free SSL certificate! You can authenticate your website with Let's Encrypt using the .well-known path but if you have multiple virtual hosts then this can get tedious so Let's Encrypt made it possible to add wildcard SSL certificates by using DNS to authenticate the domain. The idea is straightforward, if you add some specific DNS TXT records to your domain then Let's Encrypt can use this information to verify you own the domain and then can feel secure issuing you a wildcard SSL certificate.

This tutorial will show you how to create a free SSL wildcard certificate from Let's Encrypt and use it with nginx :).

Let's Encrypt Wildcard SSL nginx for WordPress Ubuntu 18.04

Install the software-properties-common package so we can add the certbot repository

sudo apt install software-properties-common -y

Add the official certbot repository

sudo add-apt-repository ppa:certbot/certbot -y

Update the repository cache and install the python-certbot-nginx package

sudo apt update
sudo apt install python-certbot-nginx -y

Now we can generate the certificate!

If you want to include the root domain i.e example.com and *.example.com then you should jump down to the next section.

This command will generate the wildcard certificate only meaning that it will not cover the root domain example.com but all subdomains *.example.com

sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly

You will be prompted to add a TXT record for _acme-challenge for your DNS zone so that the Let's Encrypt servers can verify you own your domain.

Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

D5XZ-Colj4l4pmhQX-4RkFXEoR9O94kIv_eQiiBsifs

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Including the root domain in your free SSL certificate requires adding the root domain explicitly with another -d flag specifying it.

sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d example.com -d *.example.com --manual --preferred-challenges dns-01 certonly

You will have to add 2 TXT records for DNS in order to make the root domain and wildcard subdomains work. One is for the root domain and one for the wildcard domain.

Once this completes you will get the paths to your certificate and private key files in /etc/letsencrypt/live/<domain> which you can add to your nginx virtual host.

My beginning block in nginx looks like this, remember to reload nginx using service nginx reload after adding the SSL section.

server {
    listen 443 ssl http2;
    server_name guides.wp-bullet.com;
    error_log /var/log/nginx/guides.wp-bullet.com.ssl.error.log;
    access_log /var/log/nginx/guides.wp-bullet.com.ssl.access.log;
    root /var/www/guides.wp-bullet.com/;
    index index.php;
    ssl on;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_certificate /etc/letsencrypt/live/wp-bullet.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wp-bullet.com/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_session_cache shared:SSL:10m;
    index index.php;
    ...

If you want to automatically say no to the EFF prompt below you can try adding the flag -n to obtain the certificate non-interactively.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Sources

Obtaining Wildcard SSL via Medium
Are you OK with your IP Being Logged?
Let's Encrypt Github Issue
Adding root domain to Let's Encrypt Wildcard Certificate