Certbot example: wildcard certificate
Setup
1. Create servers/DNS-records for your desired subdomains
2. Request a certificate from any server
certbot certonly \ --manual --server 'https://acme-v02.api.letsencrypt.org/directory' \ --domain '*.example.com,example.com' \ --agree-tos \ --no-eff-email3. letsencrypt will request that you create a 'TXT' DNS record
name: _acme-challenge.example.com value: <provided value>4. letsencrypt will requiest that you create a file on your webserver
5. Wait for DNS changes to propagate
6. The certificate will be created in a dir matching the domain-name (without the subdomain)
/etc/letsencrypt/live/example.com/fullchain.pem
Redirection and SSL
The proper way to do redirection is by returning
HTTP 301 (page permanently moved)
. Under the hood, this is what happens when AWS's route53 defines an A/AAAA record alias.In order to circumvent an SSL error, your SSL certificate must be a
SAN
certificate (a certificate that is valid for multiple domains). Every domain that is passed through must be validated in the certificate.For example:
findregion.example.com -(redirects-to)-> region.example.comIn this case, your certificate must be valid for:
example.com findregion.example.com region.example.comYou can resolve this in two ways:
- a wildcard SAN certificate (*.example.com, example.com)
- an explicit SAN certificate (findregion.example.com, region.example.com, example.com)