This document shows you how to generate a free WildCard certificate using Let's Encrypt that you can use on a Nginx server and/or a Palo Alto Networks firewall for things like GlobalProtect.

Remember, if you have a Palo Alto Networks firewall, the acme.sh script traffic is identified as acme-protocol.

Also remember that all ssl traffic to https://cloudflare-dns.com/ is identified as dns-over-https (including normal web browsing.

For this to work, you will need a public domain such as jbstafford.co.uk. Regardless of who the registrar is, this guide assumes that you have transferred the nameservers to be CloudFlare.

You will need to create an “API Token” in CloudFlare.

1. Go to https://dash.cloudflare.com/profile
2. Click “API Tokens”
3. Click “Create Token”
4. Click “Use template” on the template line marked “Edit zone DNS”
5. Set
   1. Permissions = Zone DNS Edit.
   2. Zone Resources = Include Specific zone domain.local
   3. IP Address Filtering = You can add in the subnet of your public IP range to restrict token use.
   4. TTL = You can set a start and end date on the token.
   5. Click “Continue to summary”
6. Click “Create Token”
7. You will see your token displayed. Copy it somewhere safe and keep it secret. Treat it like a password.
8. You can verify that the token works by running the curl command that will also be listed on the screen. The command is set to run well in a Linux CLI.

acme.sh is the script that will run in the background and renew the certificate automatically.

SSH to your Linux server and run the following commands

cd /tmp/
git clone https://github.com/Neilpang/acme.sh.git

Install acme.sh to /root/.acme.sh with the following commands

sudo -i
touch /root/.bashrc
cd /tmp/acme.sh/
acme.sh --install --accountemail your-email-id@gmail.com

Generate the WildCard with the following commands as root

export CF_Token="Your_Cloudflare_DNS_API_Key_Goes_here"
acme.sh --issue --dns dns_cf --keylength 4096 -d jbstafford.co.uk -d *.jbstafford.co.uk

You can enforce OCSP stapling by using this command instead

acme.sh --issue --dns dns_cf --ocsp-must-staple --keylength 4096 -d jbstafford.co.uk -d *.jbstafford.co.uk

This will create the key and certificate in /root/.acme.sh/jbstafford.co.uk.

To install the certificate on a firewall, you will need the username and password of a user on the firewall that has API permissions to import and commit. Instructions on how to do that are elsewhere.

You will need to edit /root/.acme.sh/deploy/panos.sh and set the following lines at the top.

export PANOS_USER="letsencryptapiusername"
export PANOS_PASS="thepassword"
export PANOS_HOST="192.168.1.1"

Then run the following command to deploy the certificate. This command will import the certificate and commit. The certificate name will match the domain name. After the first commit, you can set Certificate SSL/TLS Profiles to use it.

acme.sh --deploy -d jbstafford.co.uk --deploy-hook panos --insecure

This assumes the web server is on a separate machine from the Linux host generating the certificates.

Create a dedicated user account on the other web server and give it permissions to write to /etc/nginx/certs (you may need to create this directory).

Make sure that the root user can SSH without a password (i.e. use a SSH key) into the web server as the new user.

Edit /root/.acme.sh/deploy/ssh.sh and set the following:

export DEPLOY_SSH_USER="certusername"  # required
export DEPLOY_SSH_SERVER="192.168.1.1"  # defaults to domain name
export DEPLOY_SSH_KEYFILE="/etc/nginx/certs/keyfile.pem"
export DEPLOY_SSH_CERTFILE="/etc/nginx/certs/certfile.pem"

Run the following to deploy. It may error the first time as the cert files won't exist. Run it again.

acme.sh --deploy -d jbstafford.co.uk --deploy-hook ssh

Note, you will want to get the intermediate certificate from the chain and put it in /etc/nginx/certs/intermediate.pem.

Then run the following after the cert is created/renewed

then cat /etc/nginx/certs/intermediate.pem >> /etc/nginx/certs/certfile.pem
systemctrl restart nginx
curl www.jbstafford.co.uk
curl jbstafford.co.uk

The last few lines above (curl) are to ensure the page is called at least once after the restarting of Nginx. This will trigger the OCSP stale refresh. If you do not do this, the first Firefox user to visit the site will get an error. When they refresh, the error will vanish.

You will also need to get the full chain of the certificate (including the root) and put it in the file /etc/nginx/certs/chain.pem. You will also need to update you /etc/nginx/sites-available files with the following

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/chain.pem;
resolver 8.8.8.8;

Firefox users can permanently get around the problem with setting the following to false.

about:config > security.ssl.enable_ocsp_must_staple

sudo su -
cd /root/.acme.sh/jbstafford.co.uk/
acme.sh --issue --dns dns_cf --keylength 4096 -d jbstafford.co.uk -d *.jbstafford.co.uk --force
acme.sh --deploy -d jbstafford.co.uk --deploy-hook
acme.sh --deploy -d jbstafford.co.uk --deploy-hook ssh

On Piglet

sudo chown root:root /etc/nginx/certs/*
sudo systemctl restart nginx