Letsencrypt Wildcard Certificates, with acme.sh client

Took me a bit of time to figure this out, so I thought I'd make it public. Letsencrypt announced their new wildcard certs, and because I have to add the SSL cert to a load balancer covering many subdomains, I needed to make use of it.

First thing to note is that not all clients support the new v2 API which is required for wildcard certs. I looked at the list of v2 supporting clients on the Letsencrypt site, and chose the acme.sh bash script. Not sure if I'm going to stick with it at this point but it got me going.

First thing you need to do is to run it with the –issue flag. You'll need to run it with DNS authentication, as that's the supported method for wildcard certs. You'll also need to run it with both the root domain AND the wildcard.

./acme.sh --log --issue --dns -d mydomain.com -d *.mydomain.com
[Tue Mar 13 23:42:54 MDT 2018] Multi domain='DNS:mydomain.com,DNS:*.mydomain.com'
[Tue Mar 13 23:42:54 MDT 2018] Getting domain auth token for each domain
[Tue Mar 13 23:42:55 MDT 2018] Getting webroot for domain='mydomain.com'
[Tue Mar 13 23:42:55 MDT 2018] Getting webroot for domain='*.mydomain.com'
[Tue Mar 13 23:42:55 MDT 2018] Add the following TXT record:
[Tue Mar 13 23:42:55 MDT 2018] Domain: '_acme-challenge.mydomain.com'
[Tue Mar 13 23:42:55 MDT 2018] TXT value: '123XuRD_z9FHfdGIIQR5HIoNY1kCn7WjqqND2s1Nxyz'
[Tue Mar 13 23:42:55 MDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue Mar 13 23:42:55 MDT 2018] so the resulting subdomain will be: _acme-challenge.mydomain.com
[Tue Mar 13 23:42:55 MDT 2018] Add the following TXT record:
[Tue Mar 13 23:42:55 MDT 2018] Domain: '_acme-challenge.mydomain.com'
[Tue Mar 13 23:42:55 MDT 2018] TXT value: '1233qm_dTj_tHeDljeZOgNywPCVKMrTxWcMHTYkrxyz'
[Tue Mar 13 23:42:55 MDT 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue Mar 13 23:42:55 MDT 2018] so the resulting subdomain will be: _acme-challenge.mydomain.com
[Tue Mar 13 23:42:55 MDT 2018] Please add the TXT records to the domains, and retry again.
[Tue Mar 13 23:42:55 MDT 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log

You'll get a load of output which tells you it failed but gives you the entries you need to put into your DNS Zone editor. So now you need to add TWO text records to your domain:
_acme-challenge.mydomain.com    123XuRD_z9FHfdGIIQR5HIoNY1kCn7WjqqND2s1Nxyz
_acme-challenge.mydomain.com    1233qm_dTj_tHeDljeZOgNywPCVKMrTxWcMHTYkrxyz

You can verify these with dig:

dig txt _acme-challenge.mydomain.com
;; ANSWER SECTION:
_acme-challenge.mydomain.com. 60 IN TXT	"123XuRD_z9FHfdGIIQR5HIoNY1kCn7WjqqND2s1Nxyz"
_acme-challenge.mydomain.com. 60 IN TXT	"1233qm_dTj_tHeDljeZOgNywPCVKMrTxWcMHTYkrxyz"

Now you run the acme client again with the –renew flag.

./acme.sh --renew -d mydomain.com -d *.mydomain.com
[Tue Mar 13 23:51:49 MDT 2018] Renew: 'mydomain.com'
[Tue Mar 13 23:51:50 MDT 2018] Multi domain='DNS:mydomain.com,DNS:*.mydomain.com'
[Tue Mar 13 23:51:50 MDT 2018] Getting domain auth token for each domain
[Tue Mar 13 23:51:50 MDT 2018] Verifying:mydomain.com
[Tue Mar 13 23:51:53 MDT 2018] Success
[Tue Mar 13 23:51:53 MDT 2018] Verifying:*.mydomain.com
[Tue Mar 13 23:51:55 MDT 2018] Success
[Tue Mar 13 23:51:55 MDT 2018] Verify finished, start to sign.
[Tue Mar 13 23:51:56 MDT 2018] Cert success.

[Tue Mar 13 23:51:56 MDT 2018] Your cert is in  /root/.acme.sh/mydomain.com/mydomain.com.cer 
[Tue Mar 13 23:51:56 MDT 2018] Your cert key is in  /root/.acme.sh/mydomain.com/mydomain.com.key 
[Tue Mar 13 23:51:56 MDT 2018] The intermediate CA cert is in  /root/.acme.sh/mydomain.com/ca.cer 
[Tue Mar 13 23:51:56 MDT 2018] And the full chain certs is there:  /root/.acme.sh/mydomain.com/fullchain.cer

And that's about it. The client has more options to copy the cert into your apache/nginx config, but I had to add it by hand to the load balancer. Maybe I'll investigate automating this, and the cert renewal.