A wildcard cert (*.example.com) covers all subdomains with a single certificate. Let's Encrypt issues wildcards only via the DNS-01 challenge (HTTP-01 does not work). You need API access to the DNS provider to automatically add the _acme-challenge TXT record. Supported by certbot plugins: Cloudflare, Route53, DigitalOcean, dozens more.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
apt install python3-certbot-dns-cloudflarecertbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini -d "*.example.com" -d example.comsystemctl enable --now certbot.timer| Scenario | Config |
|---|---|
| Cloudflare credentials | dns_cloudflare_api_token = YOUR_TOKEN_HERE |
| Route53 (AWS) | certbot --dns-route53 -d "*.example.com" -d example.com |
| Manual DNS-01 (any DNS) | certbot certonly --manual --preferred-challenges dns -d "*.example.com" |
| Force renew | certbot renew --force-renewal --cert-name example.com |
| deploy-hook for nginx reload | certbot renew --deploy-hook "systemctl reload nginx" |
To obtain a Let's Encrypt wildcard certificate, you must use the ACME protocol with a DNS challenge. This requires a DNS provider that supports API access for adding TXT records. Use the command certbot certonly --manual --preferred-challenges=dns --email your-email@example.com --agree-tos -d '*.yourdomain.com' to initiate the process. Follow the prompts to add the necessary DNS TXT records for verification.
Obtaining a Let's Encrypt wildcard certificate involves several steps that ensure your domain is secure and validated. Here’s a detailed breakdown:
sudo apt-get update && sudo apt-get install certbotcertbot certonly --manual --preferred-challenges=dns --email your-email@example.com --agree-tos -d '*.yourdomain.com'Type: TXT
Name: _acme-challenge.yourdomain.com
Value: abcdefghijklmnopqrstuvwxdig TXT _acme-challenge.yourdomain.comEnter to allow Certbot to verify the record. If successful, you will receive confirmation and your wildcard certificate files will be generated./etc/letsencrypt/live/yourdomain.com/. You will find the following files:fullchain.pem: The certificate file.privkey.pem: The private key file.server {
listen 443 ssl;
server_name *.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
}sudo nginx -techo '0 0 * * * /usr/bin/certbot renew --quiet' | sudo tee -a /etc/crontab > /dev/nullSSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeWildcard is convenient for dynamic subdomains (auto-created). For a fixed set — individual certs are simpler (better revocation granularity).
No — Let's Encrypt supports only single-level (*.example.com). Deeper levels need a separate cert.
If the private key is safe — yes. On compromise, the attacker reaches every subdomain at once. 90-day rotation (automatic) reduces risk.
Yes: <code>-d "*.example.com" -d example.com</code> creates a cert with SAN = [*.example.com, example.com]. Common practice.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.