Wilcard SSL Certificates allow you to secure also all subdomains with just one certificate configured on your server or properly proxy server.
As I have good experiences with the domain provider MyOnlinePortal, I will use them for the example.
python3 -m venv certbot
./certbot/bin/activate
python3 -m pip install --upgrade certbot
python3 -m pip install certbot-dns-myonlineportal
python3 -m pip install zope.interfaceCreate a credentials file with your username and password from the DynDNS provider. For example /etc/letsencrypt/.myonlineportal-credentials.ini:
dns_myonlineportal_username = username
dns_myonlineportal_password = password
dns_myonlineportal_endpoint = https://myonlineportal.net/set-acmeFor security reasons, this file should only have permissions for the owner
chmod 600 /etc/letsencrypt/.myonlineportal-credentials.inicertbot certonly --agree-tos \
--authenticator dns-myonlineportal \
--dns-myonlineportal-propagation-seconds 120 \
--dns-myonlineportal-credentials /etc/letsencrypt/.myonlineportal-credentials.ini \
--email 'me@example.com' \
-d example.myonlineportal.net -d *.example.myonlineportal.netGive attention to -d option, there are two of them, one explicit with the wildcard domain. Of course this will also work without wildcards.
Also change the --email option to your valid email address.
After execution, the result should look like follows
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin legacy name certbot-dns-myonlineportal:dns-myonlineportal may be removed in a future version. Please use dns-myonlineportal instead.
Requesting a certificate for example.myonlineportal.net and *.example.myonlineportal.net
Waiting 90 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.myonlineportal.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.myonlineportal.net/privkey.pem
This certificate expires on 2021-12-29.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Make this new certificate available and workable for your haproxy. If your /etc/haproxy/haproxy.conf has the certificate as follows configured
frontend www-https
bind *:443 ssl crt /etc/ssl/example.myonlineportal.net.pemyou need to put the fullchain.pem and the privkey.pem together to one file called /etc/ssl/example.myonlineportal.net.pem
cat /etc/letsencrypt/live/example.myonlineportal.net/fullchain.pem > /etc/ssl/example.myonlineportal.net.pem
cat /etc/letsencrypt/live/example.myonlineportal.net/privkey.pem >> /etc/ssl/example.myonlineportal.net.pemand reload the haproxy
systemctl reload haproxy.serviceor restart
systemctl restart haproxy.serviceFor renewing the certificate execute renew
certbot renew --no-self-upgrade --agree-tos \
--authenticator dns-myonlineportal \
--dns-myonlineportal-propagation-seconds 120 \
--dns-myonlineportal-credentials /etc/letsencrypt/.myonlineportal-credentials.ini \
--email 'me@example.com'Put the fullchain.pem and the privkey.pem together to the configured haproxy cert file /etc/ssl/example.myonlineportal.net.pem
cat /etc/letsencrypt/live/example.myonlineportal.net/fullchain.pem > /etc/ssl/example.myonlineportal.net.pem
cat /etc/letsencrypt/live/example.myonlineportal.net/privkey.pem >> /etc/ssl/example.myonlineportal.net.pemand reload the haproxy
systemctl reload haproxy.serviceor restart
systemctl restart haproxy.serviceRemoved deprecated options settings and test again.