使用 Let’s Encrypt 申請 Wildcard 憑證，並設定 NGINX

Step 1: 安裝 Let’s Encrypt

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Step 2: 安裝 NGINX

sudo apt update
sudo apt upgrade
sudo apt install nginx

Step 3: 設定 DNS，使支援所有的 subdomain

• 

Step 4: 使用 certbot 取得 SSL 憑證

參考下面的例子，並將 example.com 改為自己的 domain (建議將 *.example.com 和 example.com 都加入)。取得憑證當中，必須要增加 DNS 的 TXT 紀錄，如下圖：

• 

hlchang@azure-ubuntu-1:~$ sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com -d example.com --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

OeecI1rJcyPoI6TDhNZthTInDwQBbrcrTsCWRWKrA64

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-12-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 5: 編輯 NGINX 的設定檔

加入下面紅字的部分：

hlchang@azure-ubuntu-1:~$ more /etc/nginx/sites-available/example.com
server {
     listen 80;
     listen [::]:80;
     server_name example.com *.example.com;
     return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    root /var/www/wordpress;
    index  index.php;
    server_name example.com *.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 100M;
    autoindex off;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

Step 6: 重新啟動 NGINX

hlchang@azure-ubuntu-1:~$ cd /etc/nginx/sites-enabled/
hlchang@azure-ubuntu-1:~$ sudo ln -s ../sites-available/example.com .
hlchang@azure-ubuntu-1:~$ sudo systemctl restart nginx

參考資料來源：How to obtain a wildcard ssl certificate from Let’s Encrypt and setup Nginx to use wildcard subdomain