Here we use LetsEncrypt (certbot) with the CloudFlare DNS plugin to generate a free, auto-renewing TLS certificate to use with Nginx.
Then we configure Nginx to use that TLS certificate and create a configuration to support multi-tenancy in our applications.
We use a special configuration to capture the value of the subdomain so we can pass it off to our PHP application (or do anything we want, like use dynamic app locations for local development - as described here: https://www.youtube.com/watch?v=SPHxW1C4G6I ).
Install and Configure Certbot
We can start by installing/configuring Certbot. In our case, we'll use the Cloudflare plugin to manage DNS.
Why do we need to manage DNS? Certbot uses a DNS challenge for wildcard subdomains (instead of the HTTP challenge for non-wildcard domains).
# Install certbot on Ubuntu as per
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare
We'll run stuff as user root, so we'll configure a location to save credentials to the Cloudflare API.
You'll need to generate an API token in Cloudflare (you can lock them down to be specific to managing one domain's DNS). Docs on that are here.
/root/.secrets/cloudflare.ini and add something like:
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
Then we can generate our wildcard certificate!
# Optionally add --force-renewal if
# a current certificate is generated and
# you want to over-write it
sudo certbot certonly \
--dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
--post-hook "service nginx reload" \
--email your-email-here \
-d *.your-domain.tld \
Check out the video for more details on all of this.