Obtaining wildcard certificates from Let's Encrypt

In 2017, I wrote a post on how to set up Let’s Encrypt certificates together with NGINX. Back then, Let’s Encrypt hadn’t added support for wildcard certificates. Althought it’s not a big issue, it does mean you have to generate a new certificate each time you want to add a new subdomain to the certificate. Earlier this year, Let’s Encrypt finally added support for wildcard certificates. Therefore, I recently changed to a wildcard certificate. This blog post documents how I managed to do that.


To be able to issue wildcard certificates, the ACME v2 standard was introduced. If you have previously installed certbot (like me), you need to make sure the version number is equal to or above 0.22.0 in order to support ACME v2. In addition, the only method of challenge supported for obtaining wildcard certificates is the DNS challenge. This is accomplished by adding a special DNS record to the domain. This means you need to use a DNS provider which provides API access. Personally, I’m using Cloudflare. A list of supported DNS provider is listed here. Besides using a supported DNS provider, you also need to install an extra package on your system because these DNS plugins for certbot doesn’t come with the standard installation. I ran (on CentOS 7) the following commands to achieve these,

$ sudo yum update certbot
$ sudo yum install python2-certbot-dns-cloudflare

Another thing you need to do is to obtain an API key for manipulation of DNS. For Cloudflare, I obtained the key from the website and stored the information in a file with the following format. Remember to set the permission to 600 (only R/W by yourself) to protect your key.

dns_cloudflare_email = <YOUR-EMAIL>
dns_cloudflare_api_key = <YOUR-KEY>

Getting the certificate

With all the preparations you’ve done just now, we are all set to obtain the wildcard certificate. Simply issue the following commands,

$ sudo certbot certonly \
    --dns-cloudflare \
    --dns-cloudflare-credentials /path/to/key \
    --dns-cloudflare-propagation-seconds 10 \
    --server https://acme-v02.api.letsencrypt.org/directory \
    -d '*.example.com'

Here I’m enabling the Cloudflare DNS plugin with --dns-cloudflare. If you are using another provider, please change the flags accordingly. Note that you must provide the server address in order to connect to the ACME v2 API. Another thing to note is that *.example.com doesn’t include example.com. If you are intending to support your root domain as well, make sure you pass an additional -d parameter for the root domain. If everything goes well, you should be able to pass the DNS challenge and obtain the certificate. Please check my previous post if you want to use the certificate with NGINX.


In conclusion, I described how you can obtain a wildcard certificate from Let’s Encrypt. As I mentioned, there are a few things that you need to pay attention to in order to successfully obtain the right certificate. I hope you find my post helpful.


comments powered by Disqus