How to Get a Let's Encrypt Wildcard Certificate
A wildcard cert (*.example.com) covers all subdomains with a single certificate. Let's Encrypt issues wildcards only via the DNS-01 challenge (HTTP-01 does not work). You need API access to the DNS provider to automatically add the _acme-challenge TXT record. Supported by certbot plugins: Cloudflare, Route53, DigitalOcean, dozens more.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Pick a DNS provider with a certbot plugin (Cloudflare, Route53, Gandi, DigitalOcean)
- Install the plugin:
apt install python3-certbot-dns-cloudflare - Create a credentials file with an API token (chmod 600)
- Run:
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini -d "*.example.com" -d example.com - Cert lands in /etc/letsencrypt/live/example.com/ — fullchain.pem + privkey.pem
- Enable auto-renew:
systemctl enable --now certbot.timer - Verify: Enterno SSL checker for any subdomain
Working Examples
| Scenario | Config |
|---|---|
| Cloudflare credentials | dns_cloudflare_api_token = YOUR_TOKEN_HERE |
| Route53 (AWS) | certbot --dns-route53 -d "*.example.com" -d example.com |
| Manual DNS-01 (any DNS) | certbot certonly --manual --preferred-challenges dns -d "*.example.com" |
| Force renew | certbot renew --force-renewal --cert-name example.com |
| deploy-hook for nginx reload | certbot renew --deploy-hook "systemctl reload nginx" |
Common Pitfalls
- HTTP-01 challenge does NOT work for wildcards — DNS-01 only
- Wildcard does not cover the apex (*.example.com ≠ example.com). Add both with -d
- API token with minimum permissions (DNS:Edit zone only, not Account:Read)
- Let's Encrypt rate limit: 5 duplicate certs per week. Force renewal counts as new
- Manual DNS-01 does not support auto-renewal — use a plugin or switch to a provider with API
Why teams trust us
How it works
Enter domain
TLS chain verified
Expiry date & vulnerabilities
What Does the SSL Check Cover?
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Certificate Details
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Chain of Trust
Full chain verification: from leaf certificate through intermediates to root CA.
TLS Analysis
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Expiry Alerts
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
DV vs OV vs EV Certificates
- Confirms domain ownership only
- Issued in minutes automatically
- Free via Let's Encrypt
- Suitable for most websites
- Most common certificate type
- Organization (OV) or Extended Validation (EV)
- Issued in 1-5 business days
- Costs $50 to $500/year
- For finance, e-commerce, government sites
- Increases user trust
Who uses this
DevOps
SSL certificate monitoring
Security
TLS config audit
SEO
HTTPS as ranking factor
E-commerce
customer trust
Common Mistakes
www and subdomains.Best Practices
Strict-Transport-Security header forces browsers to always use HTTPS.Get more with a free account
SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeLearn more
Frequently Asked Questions
Why wildcard if I can issue a cert per subdomain?
Wildcard is convenient for dynamic subdomains (auto-created). For a fixed set — individual certs are simpler (better revocation granularity).
Multi-level wildcard (*.*.example.com)?
No — Let's Encrypt supports only single-level (*.example.com). Deeper levels need a separate cert.
Is a wildcard safe?
If the private key is safe — yes. On compromise, the attacker reaches every subdomain at once. 90-day rotation (automatic) reduces risk.
Wildcard + SAN for apex?
Yes: <code>-d "*.example.com" -d example.com</code> creates a cert with SAN = [*.example.com, example.com]. Common practice.