We are using acme.sh console helper https://github.com/Neilpang/acme.sh to deal with certificates (no 3rd party deps, pure shell).
Ideally, we should use some of the supported DNS providers to automate https://github.com/Neilpang/acme.sh/wiki/dnsapi
but if you don't have automated access to DNS at a moment, also it is possible to issue wildcard certificate using manual DNS challenge.
Under the root:
Initial run
acme.sh --dns --issue -d "*.dev.voronenko.net" --yes-I-know-dns-manual-mode-enough-go-ahead-please
.. adding txt record as required, after that
acme.sh --dns --issue -d "*.dev.voronenko.net" --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
Once certificate is obtained, it can be installed into place your application expects to find it.
acme.sh --install-cert -d "*.dev.voronenko.net" --cert-file /root/letsencrypt/config/live/dev.voronenko.net/cert.pem --key-file /root/letsencrypt/config/live/dev.voronenko.net/privkey.pem --fullchain-file /root/letsencrypt/config/live/dev.voronenko.net/fullchain.pem --reloadcmd "sudo service nginx restart"
Ideally, process of renewal should be automated if DNS API is supported.
Installing from hands (for root)
sudo apt-get install socat
curl https://get.acme.sh | sh
acme.sh --issue --dns dns_aws -d "*.dev.voronenko.net"
Installing via web root¶
acme.sh --issue -d staging.dev.voronenko.net -w /var/www/store/app/
export ACME_DOMAIN=staging.dev.voronenko.net
export PORTAL_SSL_ROOT=/root/letsencrypt/config/live/staging.dev.voronenko.net
acme.sh --install-cert -d "${ACME_DOMAIN}" \
--cert-file "${PORTAL_SSL_ROOT}/cert.pem" \
--key-file "${PORTAL_SSL_ROOT}/privkey.pem" \
--fullchain-file "${PORTAL_SSL_ROOT}/fullchain.pem" \
--reloadcmd "sudo service nginx restart"