How to secure a website with a wildcard SSL certificate: Let’s Encrypt + certbot-auto + cPanel on Webd.pl

How to secure a website with a wildcard SSL certificate: Let’s Encrypt + certbot-auto + cPanel on Webd.pl

The SSL network protocol is designed for secure transmission of an encrypted data stream. In the case of WWW, (in the client-server architecture) secured data transmission can be described as follows. When the browser establishing a connection with an HTTP server (secured via SSL) , it performs server verification and initiates the process of exchanging keys and encryption algorithms. In practice, this means the need to have a private key with a certificate issued by a trusted certification center.

Unencrypted communication with the WWW server can be easily overheard by anyone who mediates it. There is also a second aspect to consider when securing your site with SSL. Namely, Google’s announcement, which shows the desire to promote this type of pages in search results.

In this article you will learn how to obtain a certificate and configure HTTPS in cPanel using the example of Webd.pl.

Agenda

  1. What tools do you need?
  2. Generating Widlcard type certificate
  3. SSL configuration in cPanel based on Webd.pl example

What tools do you need?

In order to receive an SSL certificate issued by Let’s Encrypt you will need any linux and certbot-auto program. If you don’t have linux, you can, for example, install it on a virtual machine, which is also described in the following post:

If you already have access to linux, the next step will be to download certbot-auto.

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help

Generating Widlcard type certificate

The following command allows you to generate a certificate for a specific domain (in this case better-coding.com), as well as all its subdomains (Wildcard).

./certbot-auto certonly --manual --preferred-challenges dns -d *.better-coding.com -d better-coding.com

After executing the command, we will be informed that our IP address will be registered and made publicly available. In the case of a certificate generated on a virtual machine, there are no concerns about our privacy and security.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The next step is to verify the applicant. For the wildcard certificate, the challenge is to add the appropriate DNS TXT entry to the DNS server that supports our domain.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.better-coding.com with the following value:

12631Kpo1XXX_gVbGwQOB9XXXXZRwdGHkWBTb5xxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Below I presented how to configure such an entry on the example of cPanel (webd.pl). To do this, log in to the panel, then go to the Zone Editor configuration.

Then select the domain you want to configure and click Manage.

To add the entry, click Add Record, select Add TXT Record and then complete the entry with the required values. Finally confirm everything by clicking the Add Record button.

If, apart from the wildcard certificate, you also apply for a certificate for a specific domain (without using the –preferred-challenges dns option), then as part of the verification you will need to create a file on the server with the indicated name and content. After completing the verification, you should see the message below:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/better-coding.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/better-coding.com/privkey.pem
Your cert will expire on 2018-12-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

The ready-to-use SSL certificate can be found at: /etc/letsencrypt/live/your.domain/fullchain.pem. The private key can be found in the file: /etc/letsencrypt/live/your.domain/privkey.pem.

SSL configuration in cPanel based on Webd.pl example

Most host service providers provide a graphical interface that allows administration of services via a browser. One of the most popular solutions is cPanel. It is on his example that I present how to configure SSL using the private key and certificate prepared in the previous point.

After logging in to cPanel, go to the Security section and then select SSL/TLS.

Then click Manage SSL-protected websites.

Paste the previously prepared certificate and private key, and then click AutoFill by certificate.

Finally, it remains only to check the the new configuration. To do this, open a browser and access the configured domain using the https protocol (e.g. https://better-coding.com). It is worth remembering that propagation of the change may take several minutes. It is worth waiting a moment and repeating the verification in case the page will not open or will not be trusted.

At the end… May I ask you for something?

If I helped you solve your problem, please share this post. Thanks to this, I will have the opportunity to reach a wider group of readers. Thank You

Leave a Reply

avatar
  Subscribe  
Notify of