Let’s Encrypt recently released free wildcard certificates for everyone!
The script we’ll be using for this is acme.sh, which is currently one of the few programs that supports acme v2. Also, wildcard SSL certificates can only be made with DNS verification, and acme.sh has support for many DNS APIs, so it can auto-renew for you. To get this script, simply run:
curl https://get.acme.sh | sh
Getting the certificate
I use Cloudflare, so that’s what I’m going to use in this example. You need to get your Cloudlfare API key, and then run:
export CF_Key="yourapikeygoeshere" export CF_Email="firstname.lastname@example.org"
Then, you can issue the certificate with:
acme.sh --issue -d example.com -d *.example.com --dns
Using the certificate
Now, in the user you ran acme.sh with, you’ll see a
.acme.sh folder appear. In that folder, among other things, will be a folder called example.com and *.example.com. You’ll want to use the certificates in example.com as those will cover every subdomain for example.com, and example.com itself. To use this in apache, use something like:
SSLCertificateFile /home/www-data/.acme.sh/example.com/fullchain.cer SSLCertificateKeyFile /home/www-data/.acme.sh/example.com/example.com.key
and then restart apache. Be sure that the apache user can access the .acme.sh folder and all of its contents.
What these certificates will work for
These certificates will work exactly like the paid ones, except that you can’t get extended validation ones. You can use them in dovecot to not get warnings each time you check your mail, you can use them on your website without Cloudflare, you can use them with Cloudflare strict SSL, as they are valid certificates, and more. Since I use Cloudflare, I mainly just use the certificates for dovecot, and that works fine for me. For example, gmail can use POP3S to check another email account and import the messages into your gmail. Before I had a valid certificate, gmail would refuse to connect, but with Let’s Encrypt, gmail accepts the certificate and actually imports all of my emails into one place :)
Let me know what you do with your certificate in the comments below.