Wlidcard SSL really how to?

I searched all the forum about wildcard SSL problem, there are few "solutions" that users post there, but no one of them really works.

I did part of steps that really need for wildcard:

1) CWP7 > WebServer Settings > WebServers Conf Editor > '/usr/local/apache/conf.d/vhosts/' > DOMAIN.conf > Edit:

ServerAlias www.mydomain.tld

change to

ServerAlias *.mydomain.tld

2) DNS Functions > List DNS Zones > mydomain.tld.db > Edit Records > Add A record Record:

Name: *

Direction IPv4 address: domain_server_ip

What the other need to do?

To get wildcard ssl from LetsEncrypt, you have to validate over DNS.  I posted a pretty good guide on here on how to do it, bit it's complicated to set up at first.

go figure, and update screwed up the tutorial. I also forgot a step in part 2(My Bad)


Step 2 is now )
cd /etc/named
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme
cat K*.private
(Copy the line after KEY:)
nano /etc/named.conf
add at the top under the comments

Code: [Select]

key "acme" {
          algorithm hmac-md5;
          secret "(KEY GOES HERE)";
};


/var/named/acme.schaffner.org.db
Code: [Select]
$ORIGIN .
$TTL 86400      ; 1 day
acme.schaffner.org      IN SOA  ns1.schaffner.org. rcschaff82.gmail.com. (
                                2020021035 ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
$TTL 14400      ; 4 hours
                        NS      ns1.schaffner.org.  ;   THIS IS IMPORTANT.  DO NOT USE BOTH NAMESERVERS FOR LE
$ORIGIN acme.schaffner.org.
$TTL 60 ; 1 minute
Done, but it's displayed corrupted in DNS Functions > List DNS Zones >Edit Records

I don't care what CWP says.  What's the ouput of

Code: [Select]

named-checkzone acme.schaffner.org /var/named/acme.schaffner.org.db

Code: [Select]
NSUPDATE_SERVER=localhost NSUPDATE_KEY=/etc/named/acme.key ./.acme.sh/acme.sh --issue --test -d *.domain.com --challenge-alias acme.schaffner.org --dns dns_nsupdate --debug 2
Return: -bash: ./.acme.sh/acme.sh: No such file or directory

run /scripts/install_acme

Thank you rcschaff! Now all pass without incidents, but still no wildcard SSL worked.

Are you sure secret "(key)", not ("key")?

Code: [Select]

key "acme" {
          algorithm hmac-md5;
          secret "(KEY GOES HERE)";
};


And do need this code together with this in etc/named.conf?

Code: [Select]

zone "acme.schaffner.org" {
        type master;
        file "/var/named/acme.schaffner.org.db";
        allow-update {
                key "acme";
        };
};

Check /root/.acme.sh/ folder.


You should see a folder named (domain)
int there you will find several files including .key .bundle and .crt

You will need to copy those file to /etc/pki/tls
.key goes in /private folder
.bundle and .crt go it /certs folder

I guess I will make a script to do wildcard certificates to make things easier.

Code: [Select]

named-checkzone acme.schaffner.org /var/named/acme.schaffner.org.db

[/quote]

Check /root/.acme.sh/ folder.
int there you will find several files including .key .bundle and .crt

There is not .crt file, but there is .csr files(?!)

I guess I will make a script to do wildcard certificates to make things easier.

This is a great idea, will the script be compatible with CentOS7?

dns_master_load: /var/named/acme.doslar.ru.db:13: extra input text
/var/named/acme.doslar.ru.db: file does not end with newline
zone acme.doslar.ru/IN: loading from master file /var/named/acme.doslar.ru.db failed: extra input text
zone acme.doslar.ru/IN: not loaded due to errors.

Open acme.doslar.ru.db

go to the last line and hit enter, then save

Check /root/.acme.sh/ folder.
int there you will find several files including .key .bundle and .crt
There is not .crt file, but there is .csr files(?!)

Probably because the zone was never loaded for the dns to succeed

[quote ]I guess I will make a script to do wildcard certificates to make things easier.[/quote]This is a great idea, will the script be compatible with CentOS7?
[/quote]

Of course it will be.  Just have to work on it

dns_master_load: /var/named/acme.doslar.ru.db:13: extra input text
/var/named/acme.doslar.ru.db: file does not end with newline
zone acme.doslar.ru/IN: loading from master file /var/named/acme.doslar.ru.db failed: extra input text
zone acme.doslar.ru/IN: not loaded due to errors.

Open acme.doslar.ru.db

go to the last line and hit enter, then save

Done ok


Also DNS not restarted, because /etc/named.conf:14: bad secret 'bad base64 encoding'

Code: [Select]

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a any DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

key "acme" {
          algorithm hmac-md5;
          secret "[trIHAr8vNJrEWQWYkcZiM4POxGh+IhtbxU/P85yeXGxOvSP23hWnmTnKkT4Fc9hffjTToAHqTIlwW+0lCKjTpw==]"; LINE 14
};

1)  post your acme file

2) get rid of the brackets around the key. Might want to regenerate it now as it's been exposed.

hi you need to do that your self since i think you're learning
take a look into it :
https://www.mysterydata.com/how-to-install-lets-encrypt-wildcard-ssl-for-your-domain-acme-v2/
https://www.mysterydata.com/how-to-enable-wildcard-domainvhost-in-nginx-and-apache-cwp-centos/

hi you need to do that your self since i think you're learning
take a look into it :
https://www.mysterydata.com/how-to-install-lets-encrypt-wildcard-ssl-for-your-domain-acme-v2/
https://www.mysterydata.com/how-to-enable-wildcard-domainvhost-in-nginx-and-apache-cwp-centos/

Ok, thanks will try this.
Does the CWP team are still think of integrating wildcard SSL in the CWP UI?

https://www.mysterydata.com/how-to-install-lets-encrypt-wildcard-ssl-for-your-domain-acme-v2/

Step 1
cd /root
OK

Step 2
yum install socat
curl https://get.acme.sh | sh
OK

Step 3
acme.sh  --issue -d mysterydata.com  -d  *.mysterydata.com  --dns --force
Result: -bash: ./acme.sh: Is a directory
How do I run command acme.sh normally?

@rcschaff, your guide totally failed!
@Sandeep, give me please normall answer, I read the entire forum on this topic and no reliable information, please write a guide or add normal wildcard SSL function in CWP UI.

Code: [Select]

curl https://get.acme.sh | shIf you took the time/effort to learn a bit more linux, you'd notice that the above command is totally wrong.

A bigger question is why the external references to mysterydata, when there should be 'official' CWP tutorials? (Other than self promotion.)

Code: [Select]

curl https://get.acme.sh | shIf you took the time/effort to learn a bit more linux, you'd notice that the above command is totally wrong.

I dont know what wrong with this command as you said my linux level close to zero, I just did step by step in guide that Sandeep gave me.

A bigger question is why the external references to mysterydata, when there should be 'official' CWP tutorials? (Other than self promotion.)

Good question.

In fact, I just checked; I stand corrected (actually lounging)! There is a trick of curl/HTML going on there and the command should work.

I think that you may have missed a step:

[Sun 31 May 15:56:38 BST 2020] Installing to /home/user/.acme.sh
[Sun 31 May 15:56:38 BST 2020] Installed to /home/user/.acme.sh/acme.sh
[Sun 31 May 15:56:38 BST 2020] Installing alias to '/home/user/.profile'
[Sun 31 May 15:56:38 BST 2020] OK, Close and reopen your terminal to start using acme.sh
[Sun 31 May 15:56:38 BST 2020] Installing cron job
[Sun 31 May 15:56:38 BST 2020] Installing to /home/user/.acme.sh
[Sun 31 May 15:56:38 BST 2020] Installed to /home/user/.acme.sh/acme.sh
[Sun 31 May 15:56:38 BST 2020] Installing alias to '/home/user/.profile'
[Sun 31 May 15:56:38 BST 2020] OK, Close and reopen your terminal to start using acme.sh
[Sun 31 May 15:56:38 BST 2020] Installing cron job

Alternatively, in Step 3:

Code: [Select]

~/.acme.sh/acme.sh  --issue -d your_domain.tld  -d  *.your_domain.tld  --dns --force

P.S. don't bash @rcschaff as he does his best to help all and sundry, with as many/more typos as/than me.