Get your free wildcard SSL certificate here!
For a very long long long time I wanted to update the SSL certificate I used for my blog page. For some reason I cannot pin down why I delayed it for so long. Until I remembered when I actually wanted to renew the certificate.
History
It was the first time to prepare a personal blog for me. Everything was going as planned. Some pages were prepared already. Now, I needed to make a deployment, and I did - no problem. But I did not really consider the details about how to acquire an SSL certificate to make my domain name secure.
I did a bit of digging. Then I found out Let’s Encrypt which uses the ACME protocol (Automatic Certificate Management Environment), which allows web servers to automatically request, validate, and renew certificates without human intervention. Yes, I would not prefer maintain manually. You need to run a certificate management agent (like Certbot) on your web server. This agent proves to Let’s Encrypt that you control the domain by completing a challenge (such as updating a DNS record).
Once validated, the agent can request, renew, and revoke certificates automatically. This automation is crucial because Let’s Encrypt certificates have a short validity period (90 days), which encourages frequent renewals and ensures security practices stay current.
🚧🚧🚧 Change of policy drops 🚧🚧🚧
Even before my first 90 days can be completed, I started to receive consecutive emails from Let’s Encrypt about change of their policy. You can continue to use Let’s Encrypt for free SSL certificates as before, but now you must ensure your renewal process is fully automated or use third-party monitoring. This is because they decided sending individual emails is not worth the trouble for free accounts and you will not receive expiration emails from Let’s Encrypt after June 4, 2025.
Guess what, I thought I enabled Certbot to do this repetitive work but nope. One random day I noticed the blog website has invalid SSL certificate. It seems I failed to run Certbot properly, or even killed by accident (reasons unknown). Then I just decided to make it future me’s problem. The blog was in its beginning phase anyway.
The fix
When I returned to the task months later, I felt a bit lost. Even though I left (at least tried to) some breadcrumbs to remember how to maintain certificate creation in future, I decided it took too much time to figure out and decided to start over. This time, I aimed to keep things as simple as possible. I also knew I wouldn’t want to deal with this again, and still no manual intervention, or as little as possible.
So, here it goes…
I liked the subdomain idea for my main domain name. So I intended to keep my approach. ozan.tacalan.com should point to the personal blog page. The certificate should also be used by any possible other subdomains and parent domain. Let’s just quickly remember certificate types.
Types of SSL Certificates and Their Coverage
- Single Domain SSL Certificate:
- Covers one specific domain (e.g.,
example.com). - Does not cover subdomains (e.g.,
sub.example.com).
- Covers one specific domain (e.g.,
- Wildcard SSL Certificate:
- Covers a single domain and all its first-level subdomains (e.g.,
example.com,sub.example.com,another.example.com). - Does not cover sub-subdomains (e.g.,
sub.sub.example.com).
- Covers a single domain and all its first-level subdomains (e.g.,
- Multi-Domain SSL Certificate (SAN Certificate):
- Can cover multiple domains and subdomains within a single certificate.
- For example, it can secure
example.com,sub.example.com,example.net, andanotherdomain.comall under one certificate.
So I already knew I needed a wildcard (star) SSL certificate instead of single domain SSL certificate. It covers a single domain and all its first-level subdomains.
First, I needed to create correct subdomain for the blog. This is managed in subdomains page in konsoleH. I use hetzner btw. Now that I created a subdomain, which the IP it resolves to is the correct server (can be checked by dns.hetzner.com, curl, nslookup and various other tools).
Second, hetzner has a built-in dialog which I can request another free Let’s Encrypt certificate. Although it had offered other providers as well, I find Let’s Encrypt sought after, so I decided to use it again. Hit new certificate dialog in SSL Manager page in konsoleH, new certificate dialog asks which domain to issue certificate to, in this case I chose the wildcard domain. That’s pretty much it.
Third, open SSL Manager page back again, then assign new certificate from dropdown to the blog page subdomain I use. Hit refresh button. Just a few seconds later, I can confirm it uses the new certificate. Tested from another device and network as well in case it’s cached at some layer, all good. ✅
Conclusion
I know I needed to consider pro-active guidelines Let’s Encrypt provided. But then I consider myself I was in a special position where I just spent an effort (mental mostly) to create a new personal blog and do some maintenance work that comes with it. Even before a quarter of year passes, the setup I relied on changes, and apparently missing parts in the first place. That put me into a position of frustration which as a result I delayed a bit more to provide a fix it properly.
And finally, I decided it doesn’t make sense, to bother for such a simple web page. I found much simpler option which my cloud provider provided. This was the solution I should have followed in the first place. I would say the ground work I did, did not really consider out of the box solution at all which was right in front of my nose!
Now the issue seems to be resolved. If I need to manually intervene, now I know at least how to quickly fix. I even have a blog post about it!