Cara Install Let]s Encrypt SSL Wildcard di Debian 9

SSL Wildcard adalah satu sertifikat SSL yang dapat digunakan untuk domain dan seluruh subdomainnya. Jadi tidak perlu membuat sertifikat SSL lagi untuk setiap subdomain. Let’s Encrypt telah mendukung SSL Wildcard sejak bulan Maret 2018. Yang berbeda dari Let’s Encrypt SSL non-wildcard yang sudah sering saya bahas adalah cara generate sertifikat dan harus melakukan konfigurasi di DNS record.

-Install Let’s Encrypt di Debian 9-

Tambahkan backports repository.

[INPUT]

1 $ sudo nano /etc/apt/sources.list

Tambahkan pada baris paling akhir.

[INPUT]

1 deb http://ftp.debian.org/debian stretch-backports main

Update repository.

[INPUT]

1 $ sudo apt update

Install certbot.

[INPUT]

1 $ sudo apt install python-certbot-apache -t stretch-backports

-Generate SSL Wildcard-

Jalankan cerbot untuk generate SSL domain.com dan *.domain.com.

[INPUT]

1 2 3 4 5 $ sudo certbot certonly \ –manual -d *.domain.com -d domain.com \ –agree-tos –no-bootstrap –manual-public-ip-logging-ok \ –preferred-challenges dns-01 \ –server https://acme-v02.api.letsencrypt.org/directory

Hasilnya, masukkan alamat email untuk notifikasi sertifikat SSL yang akan habis masa aktifnya.

[INPUT]

1 2 3 4 Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): alamat@email.com

Konfirmasi apakah mau share email ke EFF.

[INPUT]

1 2 3 4 5 6 7 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – (Y)es/(N)o: N

Melakukan generate sertifikat.

[INPUT]

1 2 3 4 Obtaining a new certificate Performing the following challenges: dns-01 challenge for domain.com dns-01 challenge for domain.com

Buat DNS TXT record, setelah dibuat lalu Enter.

[INPUT]

1 2 3 4 5 6 7 8 9 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Please deploy a DNS TXT record under the name _acme-challenge.domain.com with the following value:   XauxWNdpDJPKHGDn0XHHW3dzI16GVzhRsgryxX   Before continuing, verify the record is deployed. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Press Enter to Continue

Buat DNS TXT record yang kedua, lalu Enter. Jika SSH remote ke server disconnect, login kembali dan jalankan kembali perintahnya. DNS TXT record masih menampilkan value yang sama.

[INPUT]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Please deploy a DNS TXT record under the name _acme-challenge.domain.com with the following value:   gbIhZ3Hn1xyfj5kC1CiJt9Cjih8JR05x7LZmbH   Before continuing, verify the record is deployed. (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet. Note that you might be asked to create multiple distinct TXT records with the same name. This is permitted by DNS standards.)   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Press Enter to Continue

Jika langkah sebelumnya sukses, maka ditampilkan pesan lokasi penyimpanan sertifikat SSL.

[INPUT]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Waiting for verification… Cleaning up challenges   IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at:    /etc/letsencrypt/live/domain.com/fullchain.pem    Your key file has been saved at:    /etc/letsencrypt/live/domain.com/privkey.pem    Your cert will expire on 2019-07-05. To obtain a new or tweaked    version of this certificate in the future, simply run certbot    again. To non-interactively renew *all* of your certificates, run    “certbot renew” – If you like Certbot, please consider supporting our work by:      Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate    Donating to EFF:                    https://eff.org/donate-le

Sertifikat SSL yang telah digenerate selanjutnya tinggal dimasukkan ke dalam konfigurasi web server baik itu Apache atau Nginx. Jangan lupa untuk mengujinya melalui SSL Labs.

Selamat mencoba 🙂

Leave a Reply

Your email address will not be published.