How to obtain a wildcard ssl certificate from Let’s Encrypt and setup Nginx to use wildcard subdomain
1:46 AM
sudo apt update
sudo apt install nginx
sudo apt install php-fpm php-mysql
sudo apt install certbot python3-certbot-nginx
Setup DNS to serve all the subdomains
- Create a custom A record, HOST * POINTS TO: Your IP Address(Eg: 103.21.0.108)
- Create a custom A record, HOST @ POINTS TO: Your IP Address(Eg: 103.21.0.108)
- Add a CNAME record, HOST www POINTS TO @ this refers to your IP address.
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly
Note:- Replace example.com with your domain name
Deploy a DNS TXT record provided by Let’s Encrypt certbot after running the above command
sudo mkdir /var/www/your_domain
sudo nano /etc/nginx/sites-available/your_domain
Create /etc/letsencrypt/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
#Create ssl-dhparams.pem
#Create ssl-dhparams.pem
sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048
server {
listen 80;
server_name *.pakistanisp.org;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name *.pakistanisp.org;
ssl_certificate /etc/letsencrypt/live/pakistanisp.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pakistanisp.org/privkey.pem;
include /etc/letsencrypt/live/pakistanisp.org/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/live/pakistanisp.org/ssl-dhparams.pem;
root /var/www/pakistanisp.org;
index index.html index.php;
location / {
# include the "?$args" part so non-default permalinks doesn't break when using query string
#try_files $uri $uri/ /index.php?$args;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
# With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php7.0-fpm:
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/pakistanisp.org$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
}
}
sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx