How to Issue a Wildcard Let's Encrypt SSL Certificate

Wildcard SSL certificates secure your main domain and all its subdomains. With Let's Encrypt and Certbot, issuing one is free and simple. In this guide, we’ll walk you through the process step by step.

What is a Wildcard SSL Certificate?

A wildcard SSL certificate protects all subdomains of a domain. For example, a wildcard certificate for *.example.com secures www.example.com, blog.example.com, and others. This is perfect for websites with multiple subdomains.

Prerequisites

Before starting, ensure you have:

• A registered domain name (e.g., example.com).
• Access to your DNS management panel to configure DNS records.
• Certbot installed on your system.

To install Certbot, run:

sudo apt update  
sudo apt install certbot python3-certbot-dns-cloudflare  

You can replace cloudflare with your DNS provider's plugin if you use a different DNS service.

Step 1: Install the DNS Plugin

To issue wildcard certificates, Certbot needs to update your DNS records. Install the plugin for your DNS provider:

• Cloudflare: python3-certbot-dns-cloudflare
• Google: python3-certbot-dns-google
• AWS Route 53: python3-certbot-dns-route53

Refer to Certbot DNS plugins documentation for more providers.

Step 2: Obtain Your DNS API Credentials

For automated DNS record updates, you’ll need API credentials from your DNS provider.

• For Cloudflare, generate an API token from the Cloudflare dashboard under “API Tokens.” Ensure it has DNS edit permissions.
• For Google Cloud, use a service account key with the proper permissions.

Save your API credentials in a secure file, for example:

echo "dns_cloudflare_api_token = YOUR_API_TOKEN" > ~/.secrets/certbot/cloudflare.ini  
chmod 600 ~/.secrets/certbot/cloudflare.ini  

Replace YOUR_API_TOKEN with your actual token.

Step 3: Request the Wildcard Certificate

Now, run Certbot with the DNS plugin to request your wildcard certificate.

sudo certbot certonly \  
  --dns-cloudflare \  
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \  
  -d "*.example.com" -d "example.com"  

• --dns-cloudflare: Specifies the DNS plugin.
• --dns-cloudflare-credentials: Points to your API token file.
• -d "*.example.com": Requests the wildcard certificate. Include -d "example.com" to secure the root domain too.

---

Step 4: Verify and Complete

Certbot will use the API to update your DNS records for validation. If successful, you’ll see:

Congratulations! Your certificate and chain have been saved at:  
/etc/letsencrypt/live/example.com/fullchain.pem  

Step 5: Configure Your Web Server

Update your web server configuration (e.g., Nginx or Apache) to use the new certificate.

For Nginx, edit your domain’s configuration file:

server {  
  listen 443 ssl;  
  server_name example.com *.example.com;  

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;  
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;  
}  

Reload Nginx to apply changes:

sudo systemctl reload nginx  

Step 6: Automate Renewal

Let’s Encrypt certificates expire in 90 days. Automate renewal with a cron job:

sudo crontab -e  

Add this line:

0 0 * * * certbot renew --quiet && systemctl reload nginx  

This renews the certificate and reloads Nginx daily at midnight.

Simplify Your Operations with Akmatori

Tired of managing incidents and alerts manually? Try Akmatori, an AIOps platform that automates alert handling. Prevent on-call burnout, reduce downtime, and streamline troubleshooting.

Reliable Hosting with Gcore

Get affordable and reliable virtual machines or bare-metal servers worldwide from Gcore. Enjoy low latency, top-notch performance, and global availability for your projects.

Conclusion

Issuing a Let's Encrypt wildcard SSL certificate with Certbot is straightforward. With proper setup, you can secure your domain and subdomains for free. Automate renewal to ensure your certificates stay valid.

Try Akmatori and Gcore to enhance your operations and hosting. Secure your infrastructure today!