Home

Archives

Bio

Github

Whatsapp

How to obtain a wildcard ssl certificate from Let’s Encrypt and setup Nginx to use wildcard subdomain

1:46 AM
sudo apt update
sudo apt install nginx
sudo apt install php-fpm php-mysql
sudo apt install certbot python3-certbot-nginx

Setup DNS to serve all the subdomains

  • Create a custom A record, HOST * POINTS TO: Your IP Address(Eg: 103.21.0.108)
  • Create a custom A record, HOST @ POINTS TO: Your IP Address(Eg: 103.21.0.108)
  • Add a CNAME record, HOST www POINTS TO @ this refers to your IP address.
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly

Note:- Replace example.com with your domain name

Deploy a DNS TXT record provided by Let’s Encrypt certbot after running the above command


sudo mkdir /var/www/your_domain
sudo nano /etc/nginx/sites-available/your_domain
Create /etc/letsencrypt/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
#Create ssl-dhparams.pem

#Create ssl-dhparams.pem
sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048

server {

    listen 80;
    server_name *.pakistanisp.org;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name *.pakistanisp.org;
  ssl_certificate /etc/letsencrypt/live/pakistanisp.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/pakistanisp.org/privkey.pem;
  include /etc/letsencrypt/live/pakistanisp.org/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/live/pakistanisp.org/ssl-dhparams.pem;
  root /var/www/pakistanisp.org;
  index index.html index.php;

         location / {
             # include the "?$args" part so non-default permalinks doesn't break when using query string
             #try_files $uri $uri/ /index.php?$args;
        	try_files $uri $uri/ =404;
         }

         location ~ \.php$ {
             try_files $uri =404;
             include fastcgi_params;

             # With php7.0-cgi alone:
             # fastcgi_pass 127.0.0.1:9000;
             
             # With php7.0-fpm:
             fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
             fastcgi_index index.php;
             fastcgi_param SCRIPT_FILENAME /var/www/pakistanisp.org$fastcgi_script_name;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
         }
}

sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
© 2014 Hendra All Right Reserved