Issue Let’s Encrypt Wildcard Certificate using Certbot

Posted on October 28th, 2019

Let’s Encrypt is an authority that you can use to issue SSL certificates that browsers will trust. The only difference is, Let’s Encrypt authority provides SSL certificates for Free. It means that you can protect your website for free with SSL certificate if you are willing to use Let’s Encrypt as your SSL certificate authority. Let’s Encrypt has multiple clients for multiple operating systems and programming languages. You can use those clients to request SSL certificates from Let’s Encrypt. In this guide, I am going to show you How to issue Let’s Encrypt wildcard SSL certificate using Certbot.

First of all, Let us see how we can install Certbot on our server. In this guide, I am going to show you How to install Certbot on Ubuntu, one of the most popular server operating systems. If you are not using Ubuntu, Refer the official Certbot website for instructions to install Certbot.

Install Certbot on Ubuntu

Certbot is a very easy to install piece of software. You do not need too much knowledge of Linux to install Certbot on Linux based operating systems.

Before we can start the installation process, we have to add Certbot PPA to our system so that we can use apt to install Certbot on our system. To add the repository, execute the following commands on your server.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update

Now, Execute the following command If you are using Apache as the web server.

$ sudo apt-get install certbot python-certbot-apache

However, If you are using Nginx, execute the following command.

$ sudo apt-get install certbot python-certbot-nginx

It might take some time to install and configure Certbot on the system. Once done, you can use Certbot to issue SSL certificates from Let’s Encrypt. In this case, we will issue a Wildcard SSL certificate.

How to issue Let’s Encrypt Wildcard Certificate using Certbot

Wildcard SSL certificate is a type of SSL certificate in which all the subdomains of a specific domain can be protected with SSL certificate. For example, If you have wildcard SSL certificate for *.example.com, you can apply the same SSL certificate on something.example.com or 1.example.com or abc.example.com.

Considering you have installed Certbot on your system, execute the following command on your server.

$ sudo certbot certonly --agree-tos --email [email protected] --manual --preferred-challenges=dns -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory --manual

Let us Understand all the options in this command first. Then we will move on to the next part.

  1. certonly: The certonly option in our command will make sure that we just want to issue SSL certificate. If you remove the certonly option from the command, Certbot will issue the SSL certificate and it will also update your virtual host file to apply the SSL certificate.
  2. –agree-tos: We have to add this option to agree with Let’s Encrypts’ terms of service. You can read their terms of service here.
  3. –email: We are using this option to store the SSL certificate in our Let’s Encrypt account. You will be notified a week before your SSL certificate is about to expire. Make sure you are entering the correct email address.
  4. –manual: We are using this option to issue SSL certificate interactively. It will prompt you for more information and confirmation.
  5. –preferred-challenges: We are using this option to specify the method we want to use to verify the domain name. Note that we have to verify our domain name to issue SSL certificate. To issue wildcard SSL certificate, we have to select dns as our preferred domain verification challenge.
  6. -d: This option is used to enter the list of domain names for which we want to issue the SSL certificate. You can pass multiple domains – Comma separated.
  7. –server: We use this option to specify the API endpoint to issue SSL certificate. The one we are using in this command supports Wildcard SSL certificates.

Execute the command, It will provide you a TXT record that you have to add in your DNS zone file. Add the TXT record and then hit the Enter button. It will verify the TXT record and if it is correct, it will successfully issue a wildcard SSL certificate for your domain name.

The SSL certificate will be stored at /etc/letsencrypt/live location. You can add the same path in your Virtual Host file. If you do not know much about virtual host files, Refer our guides on Virtual hosts according to the web server you are using.

  1. How to create and use virtual hosts in Apache
  2. How to create and use virtual hosts in Nginx

You can update the virtual host files to enable SSL certificate on your domain name. So, this is how you can issue Let’s Encrypt wildcard SSL certificate. Let us know if in the comment section if you are stuck somewhere in the process or just need help issuing Wildcard SSL certificate from Let’s encrypt using Certbot.

3 Responses to “Issue Let’s Encrypt Wildcard Certificate using Certbot”

  1. Xenial says:

    Thanks for the tutorial.

    Please bear in mind, when deploying a new TXT record, it can take few hours to propagate.

    I’d suggest opening a second terminal and check that the new record is available publicly for your domain, i.e.:

    $ dig +short txt example.com //should list the new record once propagated

    Then press enter at the prompt from Certbot here:

    Before continuing, verify the record is deployed.
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Press Enter to Continue

    Otherwise, the DNS challenge will fail having to start all over again.

  2. Salan Bernard Khalkho says:

    The tutorial says to update the virtual host files to enable SSL certificate on your domain name.

    But it does not tell how to update the virtual host files to enable SSL certificate on your domain name.

    Could you please elaborate on this???

    • You can update the virtual host files to enable SSL certificate on your domain name. Please contact our support via live chat or ticket system, so we can better assist you directly with any service you have ordered through us.

Leave a Reply