Skip to content

Wildcard SSL On Ubuntu Server 20.04

Warning

This guide assumes:

  • You are using NGINX
  • You have a user with sudo permissions
  • You have a Cloudflare account
  • You have a domain name pointed to the server

This guide will walk you through how to set up wildcard SSL on an Ubuntu server running NGINX. It will use certbot and Cloudflare during this process.

Install the software

  1. Make sure snapd is up to date (should already be installed) 

    sudo snap install core; sudo snap refresh core

  2. Make sure certbot is not installed via OS package manager 

    sudo apt-get remove certbot

  3. Install certbot 

    sudo snap install --classic certbot

  4. Prepare certbot 

    sudo ln -s /snap/bin/certbot /usr/bin/certbot

  5. Confirm containment level 

    sudo snap set certbot trust-plugin-with-root=ok

  6. Install Cloudflare DNS plugin 

    sudo snap install certbot-dns-cloudflare

Cloudflare

  1. Navigate to your profile and then the API Tokens tab.
  2. Create new credentials with the permissions Zone.DNS to the zone you are getting the certificate for.
  3. Record the token for the next steps.

Certbot configuration

  1. Create a new file on the server for the credentials in your home directory and add the below line, replacing the ##API-Token## with your API token. 

    # Cloudflare API token used by Certbot
dns_cloudflare_api_token = ##API-Token##

  2. chmod 600 the file so its not a security vulnerability.

  3. Acquire certificates for the main domain and all wildcards by running this command, replacing the ##secret-location## with the file path you created above and example.com with your domain. 

    certbot certonly \
    --dns-cloudflare \
    --dns-cloudflare-credentials ##secret-location## \
    -d example.com \
    -d *.example.com \
    -i nginx

  4. Test renewal 

    sudo certbot renew --dry-run

NGINX Configuration

  1. Check your site's NGINX configuration file to make sure it looks something like the below. This file is located in the /etc/nginx/sites-available folder. 
    server {
  listen 443 ssl;
  server_name example.com www.example.com;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options "SAMEORIGIN";  

  root /var/www/example.com;

  index index.html index.php;

  location / {
    try_files $uri $uri/ =404;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
  }

  location ~ /\.ht {
    deny all;
  }
}

Testing

Test your configuration with SSL Labs

Last update: November 26, 2020