Lets Encrypt now supports the use of a wildcard certificate.
What this mean is that rather than having to list all your sub domains in the SSL cert, you can now add *.mydomain.com. It also mean that if you add an additional sub domain you wont have to re-apply for new certificate.
So how does it work?
For this guide I will use LE64.exe - it's a Microsoft Windows command line app which fetches the cert for us. We just need to plug in some commands to get what we need.
This setup presumes you have access to your domain registrar and that you know how to add domain records, in this case a TXT record.
1. Download LE64 from - https://github.com/do-know/Crypt-LE/releases
2. Extract the zip to a working directory i.e. C:\LE64 and you should see a LE64.exe.
3. Create a bat file in the same folder, call it le64.bat
4. In the bat file we need to add the custom attributes or commands. Edit the bold italics below with your details.
le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --export-pfx mypfxpassword --domains "*.***mymedia.cf***" --generate-missing --handle-as dns --api 2 --unlink
This command will create the CSRs, CRT, Key and a PFX cert with a password.
Save the BAT file.
5. Run the le64.bat (its currently in test mode). A command window will open and after a few lines of text it will stop and ask you to add a DNS record with your Domain Registrar to verify you own the domain name.
6. Head over to your domain registrar. For this guide I will be using Cloudflare. Log in and head to DNS or DNS records.
- Add the TXT record with the text string from the command line window, should look something like the below when entered.
- You now have to wait a few minutes for the Records to propagate the internet. Can be up to 30mins or more in some cases.
To test the propagation, open a CMD prompt and enter the following
nslookup -q=txt _acme-challenge.mymedia.cf
Press enter and if the propagation was successfull it should return the txt value you entered. If it fails to find it, wait a little longer and try again. If the TXT doesnt match, re-enter it again with your Domain Registrar.
9. If the text records matched, hit enter on the le64.bat window to continue with fetching the certificates. You should now have FAKE Lets Encrypt certs. Reason they are fake is that this was it test mode. If all worked ok you now have to repeat from No.4 above but adding --live to the end of the BAT file. Like below-
le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --export-pfx mypfxpassword --domains "*.mymedia.cf" --generate-missing --handle-as dns --api 2 --unlink --live
You will need to change the DNS TXT record as it will be different this time. Also once the above has completed and you have the certs, you can delete the TXT record with your domain registrar.
Previously with DNS verification that the above uses, come renewal time you will have to re-verify your DNS. However I have tested it with le64, aslong as the CSR and CSR.key are kept in the same folder and that you renew your certificate with at least 30 days still left on the cert then you wont have to do the DNS verification again.