How to get Wildcard Certificate with acme.sh
Let’s Encrypt support wildcard domain certificate, and acme.sh is An ACME protocol client written purely in Shell (Unix shell) language.
1. install acme.sh
curl https://get.acme.sh | sh
2. request Certificate
( use *.s-b.me as example)
cd /.acme.sh
./acme.sh --issue -d *.s-b.me -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
the output
[Sat Mar 24 13:10:07 UTC 2018] Registering account
[Sat Mar 24 13:10:08 UTC 2018] Registered
[Sat Mar 24 13:10:08 UTC 2018] ACCOUNT_THUMBPRINT='hS_gwvXaqMtxJh2Bz0asmWK3r7iMYIknkOWDqO1a76U'
[Sat Mar 24 13:10:08 UTC 2018] Creating domain key
[Sat Mar 24 13:10:09 UTC 2018] The domain key is here: /root/.acme.sh/*.s-b.me/*.s-b.me.key
[Sat Mar 24 13:10:09 UTC 2018] Multi domain='DNS:*.s-b.me,DNS:s-b.me'
[Sat Mar 24 13:10:09 UTC 2018] Getting domain auth token for each domain
[Sat Mar 24 13:10:10 UTC 2018] Getting webroot for domain='*.s-b.me'
[Sat Mar 24 13:10:10 UTC 2018] Getting webroot for domain='s-b.me'
[Sat Mar 24 13:10:10 UTC 2018] Add the following TXT record:
[Sat Mar 24 13:10:10 UTC 2018] Domain: '_acme-challenge.s-b.me'
[Sat Mar 24 13:10:10 UTC 2018] TXT value: '6sf1Iuh7r****************bHPs8QriJf8ibpszRk'
[Sat Mar 24 13:10:10 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Sat Mar 24 13:10:10 UTC 2018] so the resulting subdomain will be: _acme-challenge.s-b.me
[Sat Mar 24 13:10:10 UTC 2018] Add the following TXT record:
[Sat Mar 24 13:10:10 UTC 2018] Domain: '_acme-challenge.s-b.me'
[Sat Mar 24 13:10:10 UTC 2018] TXT value: 'iA68V9A14****************mlrsZx24raM-S0gmpI'
[Sat Mar 24 13:10:10 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Sat Mar 24 13:10:10 UTC 2018] so the resulting subdomain will be: _acme-challenge.s-b.me
[Sat Mar 24 13:10:10 UTC 2018] Please add the TXT records to the domains, and re-run with --renew.
[Sat Mar 24 13:10:10 UTC 2018] Please add '--debug' or '--log' to check more details.
[Sat Mar 24 13:10:10 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
3. add txt record for the domain
Add a txt record for the domain name to verify domain ownership.
_acme-challenge.s-b.me txt iA68V9A14****************mlrsZx24raM-S0gmpI
_acme-challenge.s-b.me txt 6sf1Iuh7r****************bHPs8QriJf8ibpszRk
4. request Wildcard Certificate
./acme.sh --renew -d *.s-b.me -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
If successful, a certificate directory will be generated in the current directory named after the domain name.
/root/.acme.sh
*.s-b.me/
├── ca.cer
├── fullchain.cer
├── *.s-b.me.cer
├── *.s-b.me.conf
├── *.s-b.me.csr
├── *.s-b.me.csr.conf
└── *.s-b.me.key
5. configure Certificate to support SSL
.cer cert file
.key key file
fullchain.cer fullchain cert
6、Certificate auto renew
add a crontab job to run
./acme.sh --renew -d *.s-b.me -d s-b.me --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
reference
https://github.com/acmesh-official/acme.sh