CREATIVE CHAOS   ▋ blog

Letsencrypt Wildcard Certificates on Debian

PUBLISHED ON 22/03/2018 — EDITED ON 11/12/2023 — SYSOPS

Pin the packages from unstable

Early adopters will need to use unstable repo and pin the packages:

/etc/apt/sources
# Unstable repo main, contrib and non-free branches, no security updates here
# Packages without bug reports go to stable after 10 days.
deb http://ftp.be.debian.org/debian/ unstable main contrib non-free
deb-src http://ftp.be.debian.org/debian/ unstable main contrib non-free
/etc/apt/preferences
Package: certbot
Pin: release a=unstable
Pin-Priority: 900

Package: python3-certbot
Pin: release a=unstable
Pin-Priority: 900

Package: python3-acme
Pin: release a=unstable
Pin-Priority: 900

After 10 days with no bug reports the package will be in stable, so you can skip this.

Request the certificate

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d \*.sablun.org -d sablun.org

For ZSH you need to escape the “*”, otherwise it fails.

Edit the DNS records

Add the record that certbot provides to your DNS zone records.

Check the propagation of the records:

nslookup -type=TXT _acme-challenge.scm.sablun.org

Reload webserver

Nginx users can hit:

nginx -t && nginx -s reload

For Apache, use:

apache2ctl -t && apache2ctl graceful