Securing your web applications with HTTPS is not just a best practice—it’s essential. While many developers are familiar with traditional SSL certificates issued for a single domain or subdomain, managing multiple subdomains efficiently can become cumbersome. Fortunately, Let’s Encrypt offers a free and powerful solution: wildcard SSL certificates. These certificates allow you to secure all subdomains under a domain name with a single certificate.
In this step-by-step tutorial, we’ll walk through the process of installing Let’s Encrypt wildcard certificates using the Certbot client and DNS-01 challenge. By the end, you’ll have a scalable setup capable of securing multiple subdomains under one certificate.
What is a Wildcard Certificate?
A wildcard certificate is an SSL certificate that provides HTTPS encryption for all subdomains of a domain. For example, a wildcard certificate for *.example.com can secure:
- www.example.com
- api.example.com
- blog.example.com
- admin.example.com
This eliminates the need to request individual certificates for each subdomain. It’s perfect for large applications, CMS platforms, and multi-tenant environments.
Prerequisites
Before we dive into the commands and configurations, make sure you have the following:
- A registered domain name (e.g., example.com)
- Access to your domain’s DNS management (via your DNS provider)
- A Linux server (most commonly Ubuntu or CentOS)
- A root or sudo-enabled user account
- Installed Certbot compatible with DNS plugins or manual challenges
Step 1: Install Certbot
Depending on your OS, use the appropriate installation commands. Here’s how to install Certbot on Ubuntu:
sudo apt update sudo apt install certbot
Some DNS providers offer Certbot plugins such as certbot-dns-cloudflare or certbot-dns-google. These plugins automate the DNS-01 verification process. If your provider doesn’t have a supported plugin, you’ll need to update DNS records manually during verification.
Step 2: Choose Your Challenge Type — DNS-01
Let’s Encrypt verifies domain ownership using challenges. When requesting wildcard certificates, the only supported challenge is DNS-01, which requires you to create a TXT record in your domain’s DNS settings.
This verifies that you control the domain and can manage its DNS records.
Step 3: Create a Certificate Request
To obtain a wildcard certificate manually using Certbot, run the following command:
sudo certbot certonly --manual \ --preferred-challenges=dns \ -d "*.example.com" -d example.com
This command tells Certbot to:
- Use manual mode
- Perform a DNS challenge
- Request certificates for both the root domain and all subdomains
Certbot will now prompt you to create a TXT DNS record. For instance, you might see something like this:
Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: a7Bx98DjflSkf9U7Kdskl3f... Press Enter to Continue
Adding the DNS Record
Log in to your DNS provider’s dashboard and navigate to the DNS management panel. Create a new TXT record with the following details:
- Record Type: TXT
- Name/Host: _acme-challenge
- Value: (provided by Certbot)
Wait for a couple of minutes to allow DNS propagation. You can verify the record using tools like dig or online DNS checkers. Once verified, press Enter to continue the certificate issuance process.
Step 4: Automating the Renewal Process
Let’s Encrypt certificates expire every 90 days. When using manual DNS verification, automatic renewal becomes tricky. However, if you leverage a DNS plugin or use an API from your DNS provider, the whole renewal process can be automated.
For example, Cloudflare users can use the certbot-dns-cloudflare plugin:
sudo apt install python3-certbot-dns-cloudflare
Then generate an API token from Cloudflare and save it to a secure INI file like:
dns_cloudflare_api_token = YOUR_API_TOKEN
Then run:
sudo certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials ~/.secrets/cloudflare.ini \ -d "*.example.com" -d example.com
This approach completely automates the authentication and renewal steps!
Step 5: Configure Your Web Server
Once your wildcard certificate is generated and stored (usually in /etc/letsencrypt/live/example.com/), update your web server configuration to use the new certificates. Here’s how to do it for NGINX:
server {
listen 443 ssl;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
...
}
Don’t forget to restart NGINX:
sudo systemctl restart nginx
For Apache:
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Troubleshooting Common Issues
Here are a few common hiccups and their solutions:
- DNS Propagation Delays: Sometimes it takes time for DNS TXT records to propagate. Use DNS checkers to confirm visibility before proceeding.
- Rate Limits: Let’s Encrypt imposes rate limits for certificate issuance. Avoid frequent, repeated requests for the same domain.
- Wildcard Exclusion: Wildcards do not cover nested subdomains (e.g., sub.blog.example.com is not covered by *.example.com)
Maintaining Your Certificates
To ensure continued coverage, set up a cron job for renewal. If using a plugin-supported method, this is straightforward:
0 0 * * * /usr/bin/certbot renew --quiet
After a successful renewal, you might also want to reload your web server automatically:
--deploy-hook "systemctl reload nginx"
This ensures your server uses the new certificates without downtime.
Final Thoughts
Wildcard SSL certificates from Let’s Encrypt provide a flexible and cost-effective solution to securing multiple subdomains. Though the DNS-01 challenge adds a layer of complexity, it’s well worth the investment of time—especially when automation is correctly configured.
By following this guide, you’ve not only enhanced your application’s security framework, but also ensured scalability for future growth. Whether you’re managing a personal blog network, a SaaS product, or a multi-tenant platform, wildcard certificates keep things simple and secure.
Happy encrypting!