https://quicktasks.ismael.casimpan.com/tags/sslcert/Recent content in sslcert on IT QuicktasksHugo -- gohugo.ioCopyright © 2018–2022, Ismael Casimpan Jr.; All Rights ReservedWed, 26 Aug 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/delete-letsencrypt-certificate/Wed, 26 Aug 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/delete-letsencrypt-certificate/ Given the following cert: 1root@php73:~# certbot certificates 2Saving debug log to /var/log/letsencrypt/letsencrypt.log 34- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5Found the following certs: 6Certificate Name: php72.example.com 7Domains: php72.example.com php72.example.net 8Expiry Date: 2020-11-19 01:30:55+00:00 (VALID: 85 days) 9Certificate Path: /etc/letsencrypt/live/php72.https://quicktasks.ismael.casimpan.com/post/nginx-ssl-pem_read_bio-end-of-line-error/Mon, 27 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/nginx-ssl-pem_read_bio-end-of-line-error/ We had this ssl cert issued by Network Solutions 1root@www:/etc/nginx/conf.d/ssl/example-2020# unzip -l EXAMPLE.ORG.zip 2Archive: EXAMPLE.ORG.zip 3Length Date Time Name 4--------- ---------- ----- ---- 52150 2020-07-14 16:59 DV_NetworkSolutionsDVServerCA2.crt 6Network Solutions DV Intermediate CA 72093 2020-07-14 16:59 DV_USERTrustRSACertificationAuthority.crt 8Network Solutions DV Intermediate CA 2 92174 2020-07-14 16:59 EXAMPLE.ORG.crt 10Domain certificate 11--------- ------- 126417 3 files I created a bundle as this was for Nginx cat EXAMPLE.ORG.crt DV_NetworkSolutionsDVServerCA2.crt DV_USERTrustRSACertificationAuthority.crt > www.example.org-bundle.crt When I tried verifying, I got this error:https://quicktasks.ismael.casimpan.com/post/regenerate-multidomain-sslcert-and-update-extension-dns/Mon, 27 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/regenerate-multidomain-sslcert-and-update-extension-dns/ Scenario: Cert was purchased originally for 5 years. Cert with that validity need to revalidate every 2 years as per https://www.digicert.com/shortening-validity-periods-for-ov-dv-certificates However, the cert has been configured with the following SAN: www.example1.com www.example2.com Problem: www.example2.com is no longer part of the same hosting and doesn't need the cert. However, 'example1.com' should replace it. Solution: Regenerate the cert and add the domains "www.example1.com" and "example1.com". NOTE: Not sure yet, but I think this is valid only when the main domain for the cert is "www.https://quicktasks.ismael.casimpan.com/post/view-all-cert-in-bundle/Wed, 15 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/view-all-cert-in-bundle/ Oneliner solution using the following command: 1~$ openssl crl2pkcs7 -nocrl -certfile www.example.org-bundle.crt | openssl pkcs7 -print_certs -noout With sample output as follows: 1~$ openssl crl2pkcs7 -nocrl -certfile www.example.org-bundle.crt | openssl pkcs7 -print_certs -noout 2subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.example.org 3issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 45subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 6issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 78subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 9issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 1011subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 12issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Details and other solutions in https://serverfault.https://quicktasks.ismael.casimpan.com/post/apache-hsts/Fri, 10 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/apache-hsts/ When a user visits your website, the above header will load first and the expiration time is 2 years (63072000 in seconds). 1# Optionally load the headers module: 2LoadModule headers_module modules/mod_headers.so 3<VirtualHost 67.89.123.45:443> 4Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains;” 5</VirtualHost> 6... 7... 8... 9<VirtualHost *:80> 10[…] 11ServerName example.com 12Redirect permanent / https://example.com/ 13</VirtualHost> More details in https://medium.com/@sslsecurity/how-to-enable-hsts-on-apache-nginx-and-lighttpd-8b0c64155911https://quicktasks.ismael.casimpan.com/post/comodo-ssl-verification-in-nginx/Fri, 10 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/comodo-ssl-verification-in-nginx/ Add the following to the vhost: 1location ^~ /.well-known/ { 2log_not_found off; 3}https://quicktasks.ismael.casimpan.com/post/ca-chain-acquia/Fri, 10 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/ca-chain-acquia/ From Comodo Email after verifying domain ownership, got this hints: 1Root CA Certificate - AAACertificateServices.crt 2Intermediate CA Certificate - USERTrustRSAAAACA.crt 3Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt 4Your PositiveSSL Multi-Domain Certificate - 378394251.crt Generate the CA Chain as follows: 1cat AAACertificateServices.crt USERTrustRSAAAACA.crt SectigoRSADomainValidationSecureServerCA.crt > ca-chain-acquia-prod.pem And add to Acquia SSL section in corresponding environment. NOTE: It's interesting to note that in CheapSSLSecurity site's download section, an additional file "My_CA_Bundle.txt" is present. Checked the sha256sum and compared to the CA Chain made above but it's not the same.https://quicktasks.ismael.casimpan.com/post/nginx-hsts/Fri, 10 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/nginx-hsts/ Update the following line of code in config file’s server Block. 1add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; “; Restart the NGINX server. More details in https://medium.com/@sslsecurity/how-to-enable-hsts-on-apache-nginx-and-lighttpd-8b0c64155911https://quicktasks.ismael.casimpan.com/post/ocsp-stapling-in-nginx/Fri, 10 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/ocsp-stapling-in-nginx/ https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.htmlhttps://quicktasks.ismael.casimpan.com/post/sslpassphrasedialog-how-to-use/Fri, 10 Jul 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/sslpassphrasedialog-how-to-use/ See https://griffith.wordpress.com/tag/sslpassphrasedialog/https://quicktasks.ismael.casimpan.com/post/cert-chain-multidomain-comodo-positive-ssl/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/cert-chain-multidomain-comodo-positive-ssl/ 1cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt >> cert-chain.pem NOTE: This is the inverse of "Creating an SSL Bundle out of Comodo Positive SSL" which seems valid as well. Not sure if it's valid in any order.https://quicktasks.ismael.casimpan.com/post/cert-chain-positive-wildcard-multidomain/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/cert-chain-positive-wildcard-multidomain/ Given this list of files given by Comodo 1Root CA Certificate - AddTrustExternalCARoot.crt 2Intermediate CA Certificate - USERTrustRSAAddTrustCA.crt 3Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt 4Your PositiveSSL Multi-Domain Certificate - 285695299.crt Do the following: 1cat 285695299.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt >> cert-chain.pemhttps://quicktasks.ismael.casimpan.com/post/check-certificates-info/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/check-certificates-info/ Check a Certificate Signing Request (CSR) 1openssl req -text -noout -verify -in CSR.csr Check a private key 1openssl rsa -in privateKey.key -check Check a certificate 1openssl x509 -in certificate.crt -text -noout Check a PKCS#12 file (.pfx or .p12) 1openssl pkcs12 -info -in keyStore.p12 See https://www.sslshopper.com/csr-decoder.html or https://www.sslshopper.com/certificate-decoder.htmlhttps://quicktasks.ismael.casimpan.com/post/check-ssl-connection/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/check-ssl-connection/ All the certificates (including Intermediates) should be displayed 1openssl s_client -connect www.google.com:443 Web UI checking possible in https://www.sslshopper.com/ssl-checker.htmlhttps://quicktasks.ismael.casimpan.com/post/converting-different-cert-formats/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/converting-different-cert-formats/ Convert a DER file (.crt .cer .der) to PEM 1openssl x509 -inform der -in certificate.cer -out certificate.pem Convert a PEM file to DER 1openssl x509 -outform der -in certificate.pem -out certificate.der Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM 1openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes You can add -nocerts to only output the private key or add -nokeys to only output the certificates.https://quicktasks.ismael.casimpan.com/post/create-san-sslcert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/create-san-sslcert/ Create san.conf 1[ req ] 2default_bits = 4096 3prompt = no 4encrypt_key = no 5default_md = sha256 6distinguished_name = dn 7req_extensions = req_ext 89[ dn ] 10CN = example.org 11emailAddress = webmaster@example.org 12O = Example Memorial Hospital 13OU = Example Memorial Hospital 14L = Chicago 15ST = Illinois 16C = US 1718[ req_ext ] 19subjectAltName = DNS: example.org, DNS: www.example.org NOTE: Do not leave out OU. Otherwise, you will see the error below.https://quicktasks.ismael.casimpan.com/post/creating-ssl-bundle-from-comodo-positive-ssl/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/creating-ssl-bundle-from-comodo-positive-ssl/ 1www.example.org.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> www.example.org-bundle.crt See details in https://helpdesk.ssls.com/hc/en-us/articles/203427642-How-to-install-a-SSL-certificate-on-a-NGINX-serverhttps://quicktasks.ismael.casimpan.com/post/cross-check-certificate-with-csr-and-private-key/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/cross-check-certificate-with-csr-and-private-key/ 1openssl x509 -noout -modulus -in certificate.crt | openssl md5 2openssl rsa -noout -modulus -in privateKey.key | openssl md5 3openssl req -noout -modulus -in CSR.csr | openssl md5https://quicktasks.ismael.casimpan.com/post/renew-from-nginx-to-apache/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/renew-from-nginx-to-apache/ It's quite expected that certificate won't renew as the automation has been broken. What you can do is install the apache version of certbot 1yum install python-certbot-apache and re-issue the certificate 1sudo certbot --apache -d www.example.orghttps://quicktasks.ismael.casimpan.com/post/generate-csr-from-existing-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/generate-csr-from-existing-cert/ 1openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.keyhttps://quicktasks.ismael.casimpan.com/post/generate-csr-from-existing-private-key/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/generate-csr-from-existing-private-key/ 1openssl req -out CSR.csr -key privateKey.key -newhttps://quicktasks.ismael.casimpan.com/post/generate-csr-from-private-key/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/generate-csr-from-private-key/ 1openssl req -out CSR.csr -key privateKey.key -newhttps://quicktasks.ismael.casimpan.com/post/generate-selfsigned-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/generate-selfsigned-cert/ 1openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crthttps://quicktasks.ismael.casimpan.com/post/getting-ca-bundle-for-comodo-certificates/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/getting-ca-bundle-for-comodo-certificates/ Get it via chat to Comodo, one would pop-up from https://support.comodo.com/index.php?/Knowledgebase/Article/View/1145/1/how-do-i-make-my-own-bundle-file-from-crt-files. Make sure you edit your profile where they could send the information.https://quicktasks.ismael.casimpan.com/post/hardened-ssl-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/hardened-ssl-cert/ Apache 1SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 2SSLProtocol All -SSLv2 -SSLv3 3SSLHonorCipherOrder On 4Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 5Header always set X-Frame-Options SAMEORIGIN 6Header always set X-Content-Type-Options nosniff 7# Requires Apache >= 2.4 8SSLCompression off 9SSLSessionTickets Off 10SSLUseStapling on 11SSLStaplingCache "shmcb:logs/stapling-cache(150000)" Nginx 1ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 2ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 3ssl_prefer_server_ciphers on; 4ssl_session_cache shared:SSL:10m; 5# 'always' requires nginx >= 1.7.5, see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header 6add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; 7add_header X-Frame-Options SAMEORIGIN always; 8add_header X-Content-Type-Options nosniff always; 9ssl_session_tickets off; 10ssl_stapling on; # Requires nginx >= 1.https://quicktasks.ismael.casimpan.com/post/install-letsencrypt-ubuntu/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/install-letsencrypt-ubuntu/ 1sudo add-apt-repository ppa:certbot/certbot 2sudo apt-get update 3sudo apt-get install python-certbot-apache 4sudo certbot --apache -d one.example.com -d two.example.com If the above don't work, try this: 1sudo apt-get update 2sudo apt-get install software-properties-common 3sudo add-apt-repository universe 4sudo add-apt-repository ppa:certbot/certbot 5sudo apt-get update 6sudo apt-get install certbot python-certbot-nginx Put the following in root crontab (sudo crontab -e) 130 2 * * * /usr/bin/certbot renew >> /var/log/letsencrypt-renew.log Some details in https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04https://quicktasks.ismael.casimpan.com/post/manually-generate-letsencryp-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/manually-generate-letsencryp-cert/ In cases where you don't want to disrupt current production server, this is a good approach 1mkdir /opt/letsencrypt 2cd /opt/letsencrypt 3wget https://dl.eff.org/certbot-auto 4chmod a+x certbot-auto 5sudo ./certbot-auto --apache certonly Sample run as follows: 1[root@687elmp01 letsencrypt]# sudo ./certbot-auto --apache certonly 2Saving debug log to /var/log/letsencrypt/letsencrypt.log 3Plugins selected: Authenticator apache, Installer apache 4Enter email address (used for urgent renewal and security notices) (Enter 'c' to 5cancel): me@example.com 67------------------------------------------------------------------------------- 8Please read the Terms of Service at 9https://letsencrypt.https://quicktasks.ismael.casimpan.com/post/one-liner-csr-creation/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/one-liner-csr-creation/ 1openssl req -new -newkey rsa:2048 -nodes -out this.example.com.csr -keyout this.example.com.key -subj "/C=PH/ST=Cebu/L=Cebu/O=Example Organization Cebu/OU=IT Department/CN=this.example.com" What to use in the "-subj' as per https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one C = Country ST = State/Province L = City O = Organization OU = Organizational Unit CN = Common Name (main domain the certificate would coverhttps://quicktasks.ismael.casimpan.com/post/oneline-letsencrypt-cert-creation/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/oneline-letsencrypt-cert-creation/ 1certbot --apache -d sub1.example.com -d sub2.example.com --agree-tos -m you@example.com --redirect If you're on nginx, use --nginxhttps://quicktasks.ismael.casimpan.com/post/perfect-forward-secrecy-fix/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/perfect-forward-secrecy-fix/ Generate dhparam.pem 1openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 Create /etc/nginx/conf.d/perfect-forward-secrecy.conf since all *.conf in /etc/nginx/conf.d: 1ssl_protocols TLSv1.2; 2ssl_prefer_server_ciphers on; 3ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM"; 45ssl_dhparam /etc/nginx/ssl/dhparam.pem; Reload nginx Test again using the SSLLabs Tool https://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserverhttps://quicktasks.ismael.casimpan.com/post/remove-passphrase-from-private-key/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/remove-passphrase-from-private-key/ 1openssl rsa -in privateKey.pem -out newPrivateKey.pemhttps://quicktasks.ismael.casimpan.com/post/chain-issues-ssllabs/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/chain-issues-ssllabs/ This could be an incorrect use of certificates. Make sure to use the following (translate to nginx if you're not using apache) 1SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem 2SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem 3Include /etc/letsencrypt/options-ssl-apache.conf 4SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem In my case, the issue was on SSLCertificateChainFile. Instead of using "chain.pem", I incorrectly used "fullchain.pem".https://quicktasks.ismael.casimpan.com/post/tls-best-practices/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/tls-best-practices/ https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practiceshttps://quicktasks.ismael.casimpan.com/post/unencrypt-private-key/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/unencrypt-private-key/ 1openssl rsa -in encrypted-private.key -out non-encrypted-private.key 2Enter pass phrase for encrypted-private.key: 3writing RSA key See https://knowledge.digicert.com/solution/SO5292.htmlhttps://quicktasks.ismael.casimpan.com/post/weak-deffie-hellman-ratedb-ssllabs/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/weak-deffie-hellman-ratedb-ssllabs/ You can fix it by creating .a 'dhparam' file as follows in nginx: 1cd /etc/ssl/certs 2openssl dhparam -dsaparam -out ./dhparam.pem 4096 NOTE: "-dsaparam" is significant. Otherwise, it would take creation of dhparam.pem almost 24hours or more. See https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours then add this to nginx config 1ssl_dhparam /etc/ssl/certs/dhparam.pem;https://quicktasks.ismael.casimpan.com/post/wildcard-letsencrypt/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/wildcard-letsencrypt/ 1yum install certbot.noarch -y 234certbot -d *.example.com \ 5--manual \ 6--preferred-challenges \ 7dns certonly \ 8--server https://acme-v02.api.letsencrypt.org/directory 910... 11... 12create the TXT DNS record NOTE: In creating the cert, make sure to wait for 5minutes or better check in another terminal session if the txt record is now visible. Otherwise, cert creation will fail. Some details in https://wicowen.github.io/2018-0315-1400-Enable-Lets-encrypt-wildcard-certificate-in-CentOS-7/ In Ubuntu/Debian check https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 130 2 * * * /usr/bin/certbot renew >> /var/log/letsencrypt-renew.