Installing a wildcard certificate on Linux using and a DNS Api

Let’s Encrypt is a certificate authority (CA) that offers free SSL/TLS certificates

Objective: To acquire and install a wildcard SSL/TLS certificate from to a GNU/Linux system with automatic renewal enabled by using a registrar’s DNS API to prove the ownership of the domain. In this case I’m using the Gandi LiveDNS API but the instructions work with other DNS providers with APIs too that have DNS plugins available.


sudo su
git clone
cd ./
./ --install

Get API key from Gandi

Go to and click on “security” and generate an API key and store it in a safe place and export it with

export GANDI_LIVEDNS_KEY="fdmlfsdklmfdkmqsdfkthiskeyisofcoursefake"

Generate the cert

Followed the official DNS API instructions at GitHub.

Now use the staging environment (–test) for the certificate issuing. This will save you on the issuing limits of production platform. --issue --test --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld

Notice that this will fail on the first run but succeed on the second one.

Once the –test finishes successfully you can switch to the production environment by deleting the /root/*.domain.tld-directory (it contains the staging server’s information and will be regenerated with the production server’s info on next run)

rm -rf /root/*.domain.tld

Now run the issuing command twice (it will fail on the first run) just changing –test to –force --issue --force --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld

Install the certificate in some sensible place as the directory structure of /root/ may change in the future.

Certificate deployment instructions for Apache at GitHub --install-cert -d *.domain.tld -d domain.tld \
--cert-file /etc/apache2/*.domain.tld/*.domain.tld.cer \
--key-file /etc/apache2/*.domain.tld/*.domain.tld.key \
--fullchain-file /etc/apache2/*.domain.tld/fullchain.cer \
--reloadcmd "service apache2 force-reload"

Edit Apache configuration to take the SSL/TLS protected site into use

Create a VirtualHost-directive for the SSL/TLS protected site

<VirtualHost *:443>
   SSLEngine on
   SSLCertificateKeyFile /etc/apache2/*.domain.tld/*.domain.tld.key
   SSLCertificateFile /etc/apache2/*.domain.tld/*.domain.tld.cer
   SSLCertificateChainFile /etc/apache2/*.domain.tld/fullchain.cer

Once you are sure that the HTTPS site works redirect requests from the http-site to the HTTPS site with URL rewriting.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Enable forward secrecy in your Apache configuration

Enabling forward secrecy makes users of the site more secure. Instructions by SSLLabs research here at GitHub.

That’s it. The installation added a cronjob to run it daily and it will renew the certificate automatically when it is nearing the end of it’s validity period.


UPDATE 2018-07-16: If you need to use more than one API Key do as follows. This usually occurs when you are hosting sites for many different registrants.

Export the API key if this is the first time you are using that key. If you have already created certificates with this API key the will read it from the config file from the file /root/ --issue --config-home /root/ --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld

First run will fail. Run it again.

Create the target directory for certificate installation.

mkdir /etc/apache2/\*.domain.tld

Now install the certificate

./ --install-cert --config-home /root/ -d *.domain.tld -d domain.tld \
--cert-file /etc/apache2/\*.domain.tld/\*.domain.tld.cer \
--key-file /etc/apache2/\*.domain.tld/\*.domain.tld.key \
--fullchain-file /etc/apache2/\*.domain.tld/fullchain.cer \
--reloadcmd "service apache2 force-reload"

./ --install-cert --config-home /root/ -d *.domain.tld -d domain.tld \ 
--cert-file /etc/apache2/\*.domain.tld/\*.domain.tld.cer \ 
--key-file /etc/apache2/\*.domain.tld/\*.domain.tld.key \ 
--fullchain-file /etc/apache2/\*.domain.tld/fullchain.cer \ 
--reloadcmd "service apache2 force-reload"

Now you are ready to proceed to configure your website’s Apache configuration as described in the original instructions (scroll up).

If you have any improvement suggestions or would just like to say thanks you can use the contact form below.

Translation: Tao Te King – Chapter 2. Becoming perfect

Chapter 2. Becoming perfect

When the world speaks of the beauty of beauty then ugliness is defined in the same.

Painting picturing Laozi looking troubled
Laozi is not totally free of the pain of knowledge but knowing the Tao decreases the pain caused by search for information. PD-life-plus-70

When good is seen as good then evil is also immediately clear.

Thus being and unbeing both awaken each other; same as difficult and easy, distant and near, high and low, sounding and tinkling, head of the troop and the follower.

A wise one deals only with what is unprejudiced.

He teaches without using words; he works effortlessly, he produces without owning; he acts without seeking the fruits of labor; he finishes his tasks without borrowing; and as he does not claim anything to be his, it cannot be said that he would ever lose anything.

Own translation from 1925 Finnish translation by Pekka Ervast (ISBN 951-8995-01-X) with kind permission of Ruusu-Ristin Kirjallisuusseura ry.

Translation: Tao Te King – Chapter 18. Mending

Chapter 18. Mending

Animated .gif showing the right stroke order for writing Tao.
道 Tao. PD by artist Micheletb

When the great Tao has disappeared, charity among people and duty towards one’s kin follows.¹

When wisdom is joined with honor the world is full of those who ask.

When family ties are severed the children’s duties and parents’ spoiling replace them.

When there is lot of arguing among the people “patriots” flourish.

  1. Mr. Ervast: “When people do not have knowledge of the Way they grapple all sorts of external ethics. This chapter is perhaps written against the superficial-materialistic teachings of Confucius.”

Own translation from 1925 Finnish translation by Pekka Ervast (ISBN 951-8995-01-X) with kind permission of Ruusu-Ristin Kirjallisuusseura ry.

Installation of Etherpad

Etherpad logo
Etherpad is a free system for collaborative editing of text documents well suited to both working in parallel and serially. It is provided courtesy of the Etherpad Foundation and the developers

Objective: Install a private instance of secured with TLS encryption and configuring the system to have good level of controll over who gets to see and edit what i.e. to authenticate the users.

Instructions used:

Basic install

Install the dependencies

sudo apt-get install gzip git curl python libssl-dev pkg-config build-essential

You will also need to download and install a working node.js system. The installation manual does recommend against using the version that apt-get installs and go for the downloadable one.

The official Node.js installation guide gives the following instructions for a Debian8:

curl -sL | sudo -E bash -

followed by

sudo apt-get install -y nodejs

Which worked just fine installing the nodejs from

Next create the directory where you want Etherpad to reside and git clone into the source tree

git clone git://

and change directory to there and run




and you should see your Etherpad installation.

TLS encryption with certificates

Let's Encrypt logo
Let’s Encrypt is a free certification authority kindly provided by Internet Security Research Group (ISRG)

Objectives to the accomplished

  1. First I will be getting and installing a new cert for use on which will host an Etherpad instance to fulfill my secure textual collaboration needs safely.
  2. Second I will be replacing the shortly expiring commercial certificate for * So far I know that I can have the old cert still in place and insert the new certs under a subjectAltName. This way the free social media that I host can continue operating normally (hopefully) without any downtime.

How I did it

The definitive instructions from I found only sometime after starting this were very helpful as they almost always are. recommends using

CertBot logo
CertBot is a free cert management solution provided by The Electronic Frontier Foundation (EFF)

CertBot from Electronic Frontier Foundation to automate the installation of LetsEncrypt certificates so I’m doing that.

CertBot takes as arguments your web server and operating system and provides instructions customized by those. is being served by an Apache2.4 on a Debian8.5 so I chose those.

CertBot points to instructions for enabling backports on my system. Which I promptly followed successfully.

Then you naturally need to

sudo apt-get update

before the backports start to work.

After that

sudo apt-get install python-certbot-apache -t jessie-backport

Runs fine and installs a bunch of python candy

Next I ran

sudo certbot --apache

as instructed by CertBot interactive website. That complained that it did not find any ‘ServerName’s in the configuration files which is slightly strange. When answering ‘no’ to the “Do you want to proceed?” question it exited and hinted to specify domain name with the ‘–domains’ switch

sudo certbot --apache --domains

A blue screen comes up that asks for the “emergency” email address. Put one that you will never lose like an address which I’ve used for over 20 yrs now and which is valid for a lifetime.

Next the blue screen asks if you want to have all traffic redirected to TLS encrypted. I chose to allow normal http too.

Program exits and gives good advice to check the installed cert with the awesome free test tool by SSLLabs so I proceeded to do so. Certbot apparently knows its stuff since the site got an ‘A’ rating for the things SSL.

SSLTest rating A
Parasta A-ryhmää / TLS protection rated A by QUALLABS SSL LAB’s free awesome SSLTEST service

Automating renewal of certificates certificates are valid only for 90 days. Probably due to meticulous planning and execution to maximize security so we want to automate the renewal.

Now CertBot site instructs to test automatic renewal arrangement by issuing command

sudo certbot renew --dry-run

and it reports that everything seems to be in order to automate the renewal so I proceeded to do so with

crontab -e

and inserted instructions to run on quiet the renewal script twice a day 12-hours apart. The command to be run is given as

certbot renew --quiet

But that will fail unless run with sudo because it cannot access certain files so you need to set the cronjob as superuser. Type

sudo su

give password and then run

crontab -e

(See here for practical examples of crontab entry syntax). Exit super user account with ctrl-d and you are done automating the renewal of the certs.

The encrypted URL now leads to the default Apache2 on Debian landing page “It works.. blahblahblah…” so I need to make a new VirtualHost directive for the encrypted site in /etc/apache2/sites-enabled/001-hosts which is where I keep the directives.

So I need to figure where the CertBot put the certificate and the key.

CertBot puts the very secret key and the very public certificate in

‘/etc/letsencrypt/live/domain.tld’ and the automagic from the blue screen creates a VirtualHost entry in ‘/etc/apache2/sites-enabled/000-default-le-ssl.conf’. After I made a normal VirtualHost entry in ‘/etc/apache2/sites-enabled/001-sites.conf’ and commented everything out in the 000-default-le-ssl.conf this blog is now available also in TLS protected

Friendly folks at #freenode pointed out that

sudo apachectl -S

is very useful for locating problem points regarding conflicting VirtualHost directives

Next I am going to figure out if the commenting out stuff from 000-default-le-ssl.conf has any adverse effects. It seems the files with lower prefixed number takes precedence.

Next I try to replicate the necessary steps described in this blog post to actually enable

All that was needed to bring up the default Debian/Apache “it works page” over TLS encrypted https was one run of

sudo certbot --apache --domains

and fix the VirtualHost directive to your liking to actually serve your content.

Getting new certs with nginx.

There doesn’t seem to be quite the same level of automation with Nginx hosted sites than the Apache ones.

sudo certbot certonly --webroot -d --webroot-path /var/www/diaspora

Is what I used to successfully get the new certificates in place.

Free services that help the SSL/TLS encryption administrator by @mozilla helps you make your #SSL/#TLS stronger.

Mozilla logo used under clauses of Click pic for credits

Check your TLS strength free with @QualSys