Use a Wildcard Let's Encrypt Certificate with Vultr Load Balancer

Introduction

Let's Encrypt is an automated, open certificate authority that offers free TLS/SSL certificates for the public's benefit. The service is provided by the Internet Security Research Group (ISRG). This tutorial describes how to install a wildcard Let's Encrypt SSL certificate using certbot on a Vultr Load Balancer.

Overview

The high-level steps for this tutorial are:

Install certbot on a workstation.
Request a wildcard certificate using the DNS method.
Copy the certificate information from the cert files into the Vultr Load Balancer dashboard in the Customer Portal.

You will need a UNIX-like operating system to install certbot.

Step 1: Install certbot

Install certbot according to the instructions for your platform.

Step 2: Request Wildcard Certificate

Run certbot with the certonly and --manual options. Replace example.com with your domain. The domain is listed twice, once for the bare domain, and once for the wildcard. If you are not using the bare domain URL (https://example.com), you can omit that value and only request the wildcard.

# certbot certonly --manual -d *.example.com -d example.com -m admin@example.com --agree-tos

Press Y or N + ENTER to share your email address with the EFF.

Would you be willing to share your email address ... 
(Y)es/(N)o: Y

Press Y + ENTER to verify you agree to have your IP address logged.

Are you OK with your IP being logged? 
(Y)es/(N)o: Y

The certbot wizard will print instructions to add a TXT record to your domain's DNS. For example:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

The certbot wizard will pause at this point. Do not press ENTER until you've completed the DNS steps below.

Use a web browser to:

Navigate to your DNS provider.
Add the TXT record shown by certbot to your domain's DNS.

Test that the TXT record is propagated properly. Popular ways to test the TXT record include dig and the dnschecker.org website. Replace example.com with your name in these examples:

To test with dig, open another terminal window and lookup the domain record, replacing example.com with your domain. Verify that the value returned is correct.
```
# dig +short TXT _acme-challenge.example.com
"U5Y4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxN914"
```
To use dnschecker.org, navigate to the URL, replacing example.com with your domain. Verify that the value returned is correct.
```
https://dnschecker.org/#TXT/_acme-challenge.example.com
```

In the propagation test, when you see the correct TXT record, return to the certbot wizard and press ENTER to continue. If the certificate challenge succeeds, certbot will report the location of the new certificate files.

...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem

Step 3: Install Certificate

Navigate to your load balancer dashboard in the Customer Portal.
Click the three-dot menu icon for your load balancer, them click Manage.
Click the Configuration tab.
Click SSL Certificate in the left menu.
Copy the contents of your certificate files into the fields.
- Copy privkey.pem to the Private Key field.
- Copy cert.pem to the Certificate field.
- Copy chain.pem to the Certificate Chain field.
When you are finished, it should look like this example. Click Save changes.
The form will update and display an encrypted certificate. The certificate will be ready to use in 60 seconds.