In a previous article I introduced how to issue an SSL cert for a single subdomain using acme. If there are several services running on a server (e.g., cloud storage, blog, chatroom), and each service has a subdomain, it is helpful to secure multiple subdomain names (hosts) under the same base domain using the wildcard cert.
acme.sh and create a symlink using
curl https://get.acme.sh | sh ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
Change cert authority if you want.
# change to buypass acme.sh --set-default-ca --server buypass # change to letsencrypt acme.sh --set-default-ca --server letsencrypt
Register an account using your email.
acme.sh --register-account -m [email protected]
The domain name API is obtained from the DNS service provider of the domain, and I use Cloudflare as the example here.
First, go to API Tokens page.
Click Create Token and Use Edit zone DNS's template (typically the first one).
Select the domain for which the cert is to be issued at Zone Resources, and click Continue to summary at the bottom to go to next page.
Click Create Token.
Then, you will obtain an API Token that shows only once. Make sure to save this API Token properly, as it will no longer be viewable after the webpage is closed.
Login to server and fill the corresponding value to set environment variables.
export CF_Token="The API Token" export CF_Account_ID="" export CF_Zone_ID="" export CF_Email="[email protected]"
CF_Token is the API Token just obtained, the
CF_Zone_ID can be found in the Overview page, which can be accessed by clicking on the domain name.
Next, start issuing cert. Change
domain.com below to your domain name.
acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com -k ec-256
Finally, install the cert as follows. The
file_dir in the follows should be replaced with your directory.
acme.sh --install-cert -d domain.com -d *.domain.com --ecc \ --key-file file_dir/server.key \ --fullchain-file file_dir/server.crt \ --reloadcmd "systemctl force-reload nginx"
Now, all subdomains under a base domain such as blog.domain.com for blog, room.domain.com for chatroom, cloud.domain.com for cloud storage, can be secured by a single wildcard cert.