Good, so I was able to achieve wildcard cert on my VPS over CloudFlare. Several notes:
- There are 2 methods how domain verification is made. Using
.acme
file in htdocs
for classic "www/non-www" cert or subdomain and using automatic txt
record for _acme-challenge.example.com
over Cloudflare API.
- Freenom.com domains ("You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard.") are not possible verify using CloudFlare API (no widcard cert for free domains). You will see corresponding error message when using command
--debug 2
(see more below)
I started with new site without SSL:
wo site create example.com --php81 --mysql
Enable acme.sh loggin in
nano /etc/letsencrypt/config/account.conf
Add these 2 lines:
LOG_FILE="/etc/letsencrypt/config/acme.sh.log"
LOG_LEVEL=2
Make sure you have latest acme.sh version:
acme.sh --upgrade
Make sure your acme.sh email is same as your CloudFlare email:
acme.sh --update-account --accountemail email@example.com
I was not able to export CloudFlare credentials (account, zone, token, api, email...) info account.conf
using export
command so I hardcoded them here while using both "login" methods ("key-mail" pair as same as "account-token" pair)
nano /etc/letsencrypt/dnsapi/dns_cf.sh
If you don't know hot to get CloudFlare crendtials read this.
Then finally:
acme.sh --issue --dns dns_cf --keylength ec-384 -d example.com -d '*.example.com' --debug 2
Note: All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour (you have 5 attempts per hour).
After cert is issued run with second option “use existing certificate”
wo site update example.com --letsencrypt=wildcard --dns=dns_cf --force
And disable logging in /etc/letsencrypt/config/account.conf
So I have wildcard cert. I'm curious if it get autorenew.