Installing wildcard LetsEncrypt certificates with certbot

Details

I had a need to switch to wildcard certificates for my Web sites: e.g., a single certificate for *.domain.net as opposed to listing names like www.domain.net, dns.domain.net, etc. (My old configuration predated wildcard support by LetsEncrypt.)

As I host my own name service, I had some advantages; in particular, I didn't need to rely on support by a DNS provider for dynamic DNS updates.

So here are the steps that I followed. The target system is Oracle OS 8, which is mostly a clone of RHEL 8.

1. Install the certbot plugin for dynamic DNS

I already had certbot installed eons ago, but I needed to install the plugin to validate ownership of a site using dynamic DNS updates:

dnf install -y certbot python3-certbot-dns-rfc2136

2. Generate a secure key

To generate the cryptographic key that will be used by certbot, I did the following:

cd /var/named/chroot/etc/named
dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST certbot_key

This resulted in two files, with content similar to the following:

[root@core named]# cat Kcertbot_key.+163+63608.key 
certbot_key. IN KEY 512 3 163 asdflghjkERHWE3kJSESFsfget4rjskr5j43ntKDFGN=
[root@core named]# cat Kcertbot_key.+163+63608.private 
Private-key-format: v1.3
Algorithm: 163 (HMAC_SHA256)
Key: asdflghjkERHWE3kJSESFsfget4rjskr5j43ntKDFGN=
Bits: AAA=
Created: 20250217191131
Publish: 20250217191131
Activate: 20250217191131

3. Set up the letsencrypt folder

After backing it up, I removed all existing certificate data from /etc/letsencrypt. (I left account settings and configuration files intact.) Then, I created /etc/letsencrypt/rfc2136.ini (with permissions 0600):

dns_rfc2136_server = 127.0.0.1
dnf_rfc2136_port = 53
dns_rfc2136_name = certbot_key.
dns_rfc2136_secret = asdflghjkERHWE3kJSESFsfget4rjskr5j43ntKDFGN=
dns_rfc2136_algorithm = HMAC-SHA256

4. Configure DNS

Now it was time to actually configure DNS. I am running the chroot version of named, so I began in /var/named/chroot/etc.

FIrst, I edited named.conf. I added this section:

key "certbot_key." {
        algorithm hmac-sha256;
        secret "asdflghjkERHWE3kJSESFsfget4rjskr5j43ntKDFGN=";
};

Next, for each affected domain, I added

        update-policy {
          grant certbot_key. name _acme-challenge.domain.net. TXT;
        };

Finally, for each affected domain, in the zone file, I added a CNAME wildcard record:

*    CNAME    www

5. Obtain the certificate

For each affected domain, I ran a command similar to the following:

certbot certonly \
  --dns-rfc2136 \
  --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini \
  --dns-rfc2136-propagation-seconds 60 \
  --domains domain.net,*.domain.net \
  --cert-name domain.net \
  --deploy-hook "systemctl restart httpd"

6. Edit the Apache configuration files

Lastly, for each affected domain, I edited the corresponding file in /etc/httpd/conf.d, to ensure that the Web server looks for the SSL certificate in the right place.

After restarting Apache one final time, I verified that all affected domains came up with the correct certificate.

7. Dovecot footnote

Dovecot may be configured to use the same certificates on the server, for secure connection by e-mail clients. It may be necessary to add domain-specific entries to /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/certs/fullchain.pem
ssl_key = </etc/letsencrypt/live/certs/privkey.pem

local_name domain.net {
  ssl_cert = </etc/letsencrypt/live/domain.net/fullchain.pem
  ssl_key = </etc/letsencrypt/live/domain.net/privkey.pem
}

Also make sure that /etc/letsencrypt/live/certs is a valid name (e.g., a soft link) pointing to the right set of certificates.