How to install a Wildcard Certificate on Digital Ocean with Let's Encrypt

Add the Certbot repository

$ sudo add-apt-repository ppa:certbot/certbot

Update packages

$ sudo apt-get update

Install Certbot

$ sudo apt-get install python-certbot-apache

Install Digital Ocean Certbot DNS tool

$ sudo apt-get install certbot python3-certbot-dns-digitalocean

Create Digital Ocean API token

Obtain your DO API token, save to ~/.secrets/certbot/digitalocean.ini, eg

    # DigitalOcean API credentials used by Certbot
    dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
    

Create Wildcard cert

    certbot certonly \
         --dns-digitalocean \
         --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
         -d example.com -d *.example.com
    

Your certs will be saved to /etc/letsencrypt/live/example.com/

Auto configure Apache single name cert

We will be replaceing this later, but the autoconfigure works well to configure Apache correctly

$ sudo certbot --apache -d example.com

Your certs will be saved to /etc/letsencrypt/live/example.com-0001/

Confirm ssl enabled

You may need to symlink ssl.load and ssl.conf, into you /etc/apache2/mods-enabled/ folder

Update Apache to use Wildcard cert

Open /etc/apache2/sites-available/000-default-le-ssl.conf, modify the path to SSLCertificateFile and SSLCertificateKeyFile. These should point to your wildcard certs /etc/letsencrypt/live/example.com/

You can confirm which certs are your wildcard bby running:

$ certbot certificates

Remove unused certificate

You might also try deleting the unused cert `sudo certbot delete ...`

Auto renew certificate

Certs expire evey 90 days so you will need to renew them automatically. Add a cronjob, for example every Sunday at 5:30

crontab -e
3 5 * * 0 /usr/bin/certbot renew --quiet && /usr/sbin/service apache2 restart