Wildcard certificates with Google Domains

Wildcard certificates

If you have multiple services running on your server and need to generate certs, it might be easier to generate a single certificate for *.domain.com instead of individual certificates for servicea.domain.com and serviceb.domain.com. It’ll be easier to manage a single key too.

Google Domains

We assume already have a *.domain.com Type A entry in Google Domains. I’m using Dynamic DNS with ddclient

Certbot

We’ll use certbot and it’s google domain plugin. It’s better to install certbot via pip so we get the latest version

sudo python3 -m venv /opt/certbot/
source /opt/certbot/bin/enable
pip install --upgrade pip
pip install certbot

We’ll use this plugin which you can install via

pip install certbot certbot-dns-google-domains

Create a file /etc/letsencrypt/dns_google_domains_credentials.ini and fill it with

dns_google_domains_access_token = <token>

You can get the token from Google Domains -> Security -> ACME DNS API -> Create token

Run certbot with

certbot certonly --authenticator 'dns-google-domains' \
                 --dns-google-domains-credentials '/etc/letsencrypt/dns_google_domains_credentials.ini' \
                 --server 'https://acme-v02.api.letsencrypt.org/directory'
                --dns-google-domains-zone 'domain.com' -d '*.domain.com'

Make sure you update your NGINX configurations to use the new certificate.

TL;DR (auto-generated with llama3.2:1b)

📝🔒💻🎯📊🚨😊

The post discusses how to obtain and install a wildcard certificate on Google Domains using the certbot plugin. It covers the following steps:

  1. Install certbot via pip.
  2. Create credentials file for Google Domains DNS API with an access token.
  3. Run certbot to obtain a certificate, specifying the Google Domains zone and wildcard domain.
  4. Update NGINX configurations to use the new certificate.

The post provides a step-by-step guide and assumes familiarity with Python and certbot tools.