Skip to content

Wildcard SSL On Ubuntu Server 20.04

Warning

This guide assumes:

  • You are using NGINX
  • You have a user with sudo permissions
  • You have a Cloudflare account
  • You have a domain name pointed to the server

This guide will walk you through how to set up wildcard SSL on an Ubuntu server running NGINX. It will use certbot and Cloudflare during this process.

Install the software

  1. Make sure snapd is up to date (should already be installed)

    sudo snap install core; sudo snap refresh core
    

  2. Make sure certbot is not installed via OS package manager

    sudo apt-get remove certbot
    

  3. Install certbot

    sudo snap install --classic certbot
    

  4. Prepare certbot

    sudo ln -s /snap/bin/certbot /usr/bin/certbot
    

  5. Confirm containment level

    sudo snap set certbot trust-plugin-with-root=ok
    

  6. Install Cloudflare DNS plugin

    sudo snap install certbot-dns-cloudflare
    

Cloudflare

  1. Navigate to your profile and then the API Tokens tab.
  2. Create new credentials with the permissions Zone.DNS to the zone you are getting the certificate for.
  3. Record the token for the next steps.

Certbot configuration

  1. Create a new file on the server for the credentials in your home directory and add the below line, replacing the ##API-Token## with your API token.

    # Cloudflare API token used by Certbot
    dns_cloudflare_api_token = ##API-Token##
    

  2. chmod 600 the file so its not a security vulnerability.

  3. Acquire certificates for the main domain and all wildcards by running this command, replacing the ##secret-location## with the file path you created above and example.com with your domain.

    certbot certonly \
        --dns-cloudflare \
        --dns-cloudflare-credentials ##secret-location## \
        -d example.com \
        -d *.example.com \
        -i nginx
    

  4. Test renewal

    sudo certbot renew --dry-run
    

NGINX Configuration

  1. Check your site's NGINX configuration file to make sure it looks something like the below. This file is located in the /etc/nginx/sites-available folder.
    server {
      listen 443 ssl;
      server_name example.com www.example.com;
    
      ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
      include /etc/letsencrypt/options-ssl-nginx.conf;
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Frame-Options "SAMEORIGIN";  
    
      root /var/www/example.com;
    
      index index.html index.php;
    
      location / {
        try_files $uri $uri/ =404;
      }
    
      location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
      }
    
      location ~ /\.ht {
        deny all;
      }
    }
    

Testing

Test your configuration with SSL Labs


Last update: November 26, 2020