Obtaining a Let’s Encrypt Wildcard Certificate with acme.sh
In our previous article, “Formal Support for Let’s Encrypt Wildcard Certificates,” we emphasized the importance of rigorous procedures for applying for Let’s Encrypt wildcard certificates. Unfortunately, many online tutorials lack clarity, leading to confusion and potential issues. In this article, we will provide a step-by-step guide on how to properly apply for a Let’s Encrypt wildcard certificate using the acme.sh script.
Updating the acme.sh Script
Before applying for a Let’s Encrypt wildcard certificate, it is essential to ensure that your acme.sh script is up-to-date. To upgrade to the latest version, run the following command:
acme.sh --upgrade
Once the update is complete, you can proceed with the application process.
Applying for a Let’s Encrypt Wildcard Certificate
If you have previously obtained a Let’s Encrypt certificate, you can apply for a new certificate to replace the original by adding the --force parameter. Use the following command:
acme.sh --issue --dns dns_cx -d mydomain.com -d *.mydomain.com --force
After applying for the certificate, you can install it using the following command:
acme.sh --installcert -d mydomain.com -d *.mydomain.com \
-key-file /home/wwwroot/www.mydomain.com/ssl/mydomain.com.key \
-fullchain-file /home/wwwroot/www.mydomain.com/ssl/mydomain.com.cer \
-reloadcmd "service nginx reload"
Renewing a Let’s Encrypt Wildcard Certificate
If you want to renew your existing Let’s Encrypt wildcard certificate, you can delete the original certificate using the following command:
acme.sh --list
This will list all the certificates managed by acme.sh. Identify the certificate you want to delete and run the following command:
acme.sh remove Main_Domain
If you have an ECC certificate, add the -ecc parameter to the command:
acme.sh remove Main_Domain -ecc
After deleting the original certificate, you can reapply for a new certificate using the same command as before:
acme.sh --issue --dns dns_cx -d mydomain.com -d *.mydomain.com
Using ECC Encryption with a Wildcard Certificate
To request a wildcard certificate with ECC encryption, use the following command:
acme.sh --issue --dns dns_cx -d imydl.tech -d *.imydl.tech -k ec-256 --force
After applying for the certificate, install it using the following command:
acme.sh --installcert -d imydl.tech -d www.imydl.tech --ecc \
-key-file /home/wwwroot/www.imydl.tech/ssl/imydl.tech.ecdsa.key \
-fullchain-file /home/wwwroot/www.imydl.tech/ssl/imydl.tech.ecdsa.cer \
-reloadcmd "service nginx reload"
Verifying the Certificate
After applying for a Let’s Encrypt wildcard certificate, you can verify its status using the following command:
acme.sh --list
This will list all the certificates managed by acme.sh, and you can see a column *.mydomain.com indicating the success of the wildcard certificate application.