In a previous article I introduced how to issue an SSL cert for a single subdomain using acme. If there are several services running on a server (e.g., cloud storage, blog, chatroom), and each service has a subdomain, it is helpful to secure multiple subdomain names (hosts) under the same base domain using the wildcard cert.

Install and configure acme.sh

Install acme.sh and create a symlink using ln.

curl https://get.acme.sh | sh
ln -s  /root/.acme.sh/acme.sh /usr/local/bin/acme.sh

Change cert authority if you want.

# change to buypass
acme.sh --set-default-ca --server buypass
# change to letsencrypt
acme.sh --set-default-ca --server letsencrypt

Register an account using your email.

acme.sh --register-account -m [email protected]

Create and import domain name API

The domain name API is obtained from the DNS service provider of the domain, and I use Cloudflare as the example here.

First, go to API Tokens page.

gotoAPI_tokens

Go to API Tokens page.

Click Create Token and Use Edit zone DNS's template (typically the first one).

Select the domain for which the cert is to be issued at Zone Resources, and click Continue to summary at the bottom to go to next page.

select_domain

Select the domain name in Zone Resources.

Click Create Token.

create_token

Create Token.

Then, you will obtain an API Token that shows only once. Make sure to save this API Token properly, as it will no longer be viewable after the webpage is closed.

Start issuing

Login to server and fill the corresponding value to set environment variables.

export CF_Token="The API Token"
export CF_Account_ID=""
export CF_Zone_ID=""
export CF_Email="[email protected]"

The CF_Token is the API Token just obtained, the CF_Account_ID and CF_Zone_ID can be found in the Overview page, which can be accessed by clicking on the domain name.

CF_ID

Zone ID and Account ID.

Next, start issuing cert. Change domain.com below to your domain name.

acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com -k ec-256

Finally, install the cert as follows. The file_dir in the follows should be replaced with your directory.

acme.sh --install-cert -d domain.com -d *.domain.com --ecc \
--key-file       file_dir/server.key \
--fullchain-file file_dir/server.crt \
--reloadcmd      "systemctl force-reload nginx"

Now, all subdomains under a base domain such as blog.domain.com for blog, room.domain.com for chatroom, cloud.domain.com for cloud storage, can be secured by a single wildcard cert.

Reference

https://link.toolin.cc/Iqnuq

Outline