Free wildcard certs with Let’s Encrypt & DNS auth ft. Route 53

By | 17th May 2018

Everyone’s favorite SSL certificate authority Let’s Encrypt recently announced support for wildcard SSL certificates on their forum here using the ACMEv2 API. Wildcard SSL certificates still cost as much as $150-300/yr on the market. Getting them for free is a huge bonus.

Install Certbot

Grab the Certbot tool for issuing Let’s Encrypt signed SSL certificates. Follow this link to install Certbot for your OS. I am using Ubuntu 16.04.

Make sure you have version 0.22 or higher installed.

Install the Route 53 plugin. If you want to use an another DNS provider, replace certbot-dns-route53 with an option from below.

You have various DNS providers as options. Click on the provider that you are using to get the usage guide.

Issue SSL certs with Route 53 auth

Amazon Route 53 is the DNS provider that I use so I am going to proceed with that. Create a user in IAM for programatic access with policy of AmazonRoute53FullAccess.

AWS IAM Acess key ID and Secret access key for DNS auth

You will be presented with the Access key ID and the Secret access key. Store this in ~/.aws/config in the following format:

Let’s generate the certs. Make sure you add –server https://acme-v02.api.letsencrypt.org/directory to point the v2 API which supports wildcard certs. At the time of writing this article the latest version of Certbot was still pointing to v1 API. You can track the progress for change in the defaults here.

Make sure you setup a cronjob for auto renewal. All settings including DNS endpoint used, API version used is auto saved.

Issuing certificates for other DNS providers should be similar. Following the usage guide should be enough. Make sure Certbot is pointed to the v2 API.

My friend pointed me to acme.sh which supports more providers for DNS auth and is more customisable. There are many other ACMEv2 compatible Let’s Encrypt clients listed here.

Leave a Reply