Issue a wildcard cert using acme.sh
In a previous article I introduced how to issue an SSL cert for a single subdomain using acme. If there are several services running on a server (e.g., cloud storage, blog, chatroom), and each service has a subdomain, it is helpful to secure multiple subdomain names (hosts) under the same base domain using the wildcard cert.
Install and configure acme.sh
Install acme.sh
and create a symlink using ln
.
curl https://get.acme.sh | sh
ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
Change cert authority if you want.
# change to buypass
acme.sh --set-default-ca --server buypass
# change to letsencrypt
acme.sh --set-default-ca --server letsencrypt
Register an account using your email.
acme.sh --register-account -m [email protected]
Create and import domain name API
The domain name API is obtained from the DNS service provider of the domain, and I use Cloudflare as the example here.
First, go to API Tokens page.
Click Create Token and Use Edit zone DNS's template (typically the first one).
Select the domain for which the cert is to be issued at Zone Resources, and click Continue to summary at the bottom to go to next page.
Click Create Token.
Then, you will obtain an API Token that shows only once. Make sure to save this API Token properly, as it will no longer be viewable after the webpage is closed.
Start issuing
Login to server and fill the corresponding value to set environment variables.
export CF_Token="The API Token"
export CF_Account_ID=""
export CF_Zone_ID=""
export CF_Email="[email protected]"
The CF_Token
is the API Token just obtained, the CF_Account_ID
and CF_Zone_ID
can be found in the Overview page, which can be accessed by clicking on the domain name.
Next, start issuing cert. Change domain.com
below to your domain name.
acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com -k ec-256
Finally, install the cert as follows. The file_dir
in the follows should be replaced with your directory.
acme.sh --install-cert -d domain.com -d *.domain.com --ecc \
--key-file file_dir/server.key \
--fullchain-file file_dir/server.crt \
--reloadcmd "systemctl force-reload nginx"
Now, all subdomains under a base domain such as blog.domain.com for blog, room.domain.com for chatroom, cloud.domain.com for cloud storage, can be secured by a single wildcard cert.