November 20, 2021 (updated February 6, 2024)

Linode Wildcard Certificate DNS

To get a wildcard LetsEncrypt certificate you need DNS authentication.

Requirements:

go-acme/lego: Let’s Encrypt client and ACME library written in Go

I would suggest downloading a release for your operating system as not wildly distributed yet.

Using lego, which has built in Linode capability to automatically add the correct DNS to authenticate your domain.

You need to make a personal access token. To get a token go to your account dropdown, login & authentication, Create a Personal Access Token. You need read and write permissions for the domains.

LINODE_TOKEN=590069ba6ac1943c0ea97a028a25f803b8423f23abb40a0c67b34a3f9906752f \
 ./lego --email hello@example.com --dns linode --domains *.example.com run

If you get an error like:

acme: error presenting token: [401] Your OAuth token is not authorized to use this endpoint.

Your token needs read/write for domains and to be accurate.

Then you should get something like this.

acme: Obtaining bundled SAN certificate
AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/51291533070
acme: use dns-01 solver
acme: Preparing to solve DNS-01
acme: Trying to solve DNS-01
acme: Checking DNS record propagation using [1.1.1.1:53]
Wait for propagation [timeout: 16m0s, interval: 15s]
acme: Waiting for DNS record propagation.
The server validated our request
acme: Cleaning DNS-01 challenge
acme: Validations succeeded; requesting certificates
Server responded with a certificate.

If you have a timeout, make sure your default DNS is low enough. If you have to lower it, you can change DNS resolvers if your domain is new. For instance I changed to use 1.1.1.1:53 which is the Cloudflare resolver.

By default the certificates are stored in "./.lego". You need to move those or set the path when authenticating lego --path=/path/to.

And then I set it up in Nginx with the following config.

server {
        server_name ~^(.*)\.example\.com$;

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        access_log /var/log/nginx/wildcard.access.log main_ext;

        root /usr/lib/$1;

        location / {
                try_files $uri $uri/ =404;
        }

        ssl_certificate /home/letsencrypt/.lego/certificates/_.example.com.crt;
        ssl_certificate_key /home/letsencrypt/.lego/certificates/_.example.com.key;
}