To home page

Installing Let's Encrypt Wildcard SSL for Ubuntu, Debian and Hestia CP

SSL Certificate Installation Guide

Let’s Encrypt is a non-profit certificate authority that provides free X.509 certificates for TLS encryption through an automated process designed to replace the complex manual process of creating, verifying, signing, installing, and renewing certificates for secure websites.

Recently, Let’s Encrypt introduced a Wildcard certificate for your domain, allowing you to use SSL without wildcard characters for the domain and multiple subdomains with a single certificate.

This guide works with Linux distributions such as CentOS, Ubuntu, and Debian. The installation example below uses Ubuntu. For CentOS, use the yum package manager instead of apt-get.

Install the acme.sh script:

cd /root
sudo apt-get install socat git
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

After installation, a cron job will be created to automatically renew your certificate. You can check it with:

crontab -l

Set Let's Encrypt as the default certificate authority:

./acme.sh --set-default-ca --server letsencrypt

Request a certificate:

./acme.sh --issue -d testfrnx.ru -d *.testfrnx.ru --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

Note

Replace testfrnx.ru with your own domain.

The script will generate 2 TXT records that you need to add in the DNS panel:

[Tue Jun  8 14:23:11 MSK 2021] Domain: '_acme-challenge.testfrnx.ru'
[Tue Jun  8 14:23:11 MSK 2021] TXT value: 'GCgAc4Q1Ur4Iv5A-SFhaZ6as-IyuIbfcm7FnUOq3Qxs'
[Tue Jun  8 14:23:12 MSK 2021] Domain: '_acme-challenge.testfrnx.ru'
[Tue Jun  8 14:23:12 MSK 2021] TXT value: 'dA6AcK4oR2VOIuD_i7zdNn6RZXXBJORpZWlhDOmk96A'

When adding the records, make sure to add a dot at the end of the name, for example:

TXT record _acme-challenge.testfrnx.ru.
value: "dA6AcK4oR2VOIuD_i7zdNn6RZXXBJORpZWlhDOmk96A"

TXT record _acme-challenge.testfrnx.ru.
value: "GCgAc4Q1Ur4Iv5A-SFhaZ6as-IyuIbfcm7FnUOq3Qxs"

file

Check that the DNS records have updated:

dig txt +short _acme-challenge.testfrnx.ru
"GCgAc4Q1Ur4Iv5A-SFhaZ6as-IyuIbfcm7FnUOq3Qxs"
"dA6AcK4oR2VOIuD_i7zdNn6RZXXBJORpZWlhDOmk96A"

After updating DNS, resume the certificate issuance:

./acme.sh --renew -d testfrnx.ru -d *.testfrnx.ru --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

[Tue Jun  8 15:26:45 MSK 2021] Renew: 'testfrnx.ru'
[Tue Jun  8 15:26:46 MSK 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jun  8 15:26:46 MSK 2021] Multi domain='DNS:testfrnx.ru,DNS:*.testfrnx.ru'
[Tue Jun  8 15:26:54 MSK 2021] Verify finished, start to sign.
[Tue Jun  8 15:26:55 MSK 2021] Downloading cert.
[Tue Jun  8 15:26:56 MSK 2021] Cert success.

Your certificates will be saved in:

/root/.acme.sh/testfrnx.ru/testfrnx.ru.cer
/root/.acme.sh/testfrnx.ru/testfrnx.ru.key
/root/.acme.sh/testfrnx.ru/ca.cer
/root/.acme.sh/testfrnx.ru/fullchain.cer

Adding certificates to Hestia CP

Note

Hestia CP can be installed by yourself or you can have it set up on our VPS or dedicated servers.

Rename the certificates:

mv /root/.acme.sh/testfrnx.ru_ecc/ca.cer /root/.acme.sh/testfrnx.ru_ecc/testfrnx.ru.ca
mv /root/.acme.sh/testfrnx.ru_ecc/fullchain.cer /root/.acme.sh/testfrnx.ru_ecc/testfrnx.ru.crt

Add the certificates to your domain:

v-add-web-domain-ssl USER testfrnx.ru /root/.acme.sh/testfrnx.ru_ecc/
  • USER — the user who owns the domain
  • testfrnx.ru — your domain
  • /root/.acme.sh/testfrnx.ru_ecc/ — path to the certificates

Warning

If a certificate was previously added to the domain, update it to the new one:

v-update-web-domain-ssl USER testfrnx.ru /root/.acme.sh/testfrnx.ru_ecc/

Adding a Wildcard SSL certificate for a subdomain

Copy the certificate:

cp /home/USER/conf/web/testfrnx.ru/ssl/testfrnx.ru.ca /home/USER/conf/web/testfrnx.ru/ssl/sub.testfrnx.ru.ca
cp /home/USER/conf/web/testfrnx.ru/ssl/testfrnx.ru.crt /home/USER/conf/web/testfrnx.ru/ssl/sub.testfrnx.ru.crt
cp /home/USER/conf/web/testfrnx.ru/ssl/testfrnx.ru.key /home/USER/conf/web/testfrnx.ru/ssl/sub.testfrnx.ru.key

Add the certificates to the subdomain:

v-add-web-domain-ssl USER sub.testfrnx.ru /home/USER/conf/web/testfrnx.ru/ssl/

Remove temporary files:

rm /home/USER/conf/web/testfrnx.ru/ssl/sub.testfrnx.ru.ca
rm /home/USER/conf/web/testfrnx.ru/ssl/sub.testfrnx.ru.crt
rm /home/USER/conf/web/testfrnx.ru/ssl/sub.testfrnx.ru.key

To update certificates, run this command every 90 days:

./acme.sh --issue -d testfrnx.ru -d *.testfrnx.ru --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

file

Set up automatic Let’s Encrypt certificate renewal with Cron by adding this daily job:

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Note

You can check the certificate installation with the SSL checker tool.

file

Help

If you encounter any issues or need assistance, submit a request to support via the ticket system, and we’ll be happy to help.

Need help?Our engineers will help you free of charge with any question in minutesContact us