Skip to content

How to Get a Let's Encrypt Wildcard Certificate

Key idea:

A wildcard cert (*.example.com) covers all subdomains with a single certificate. Let's Encrypt issues wildcards only via the DNS-01 challenge (HTTP-01 does not work). You need API access to the DNS provider to automatically add the _acme-challenge TXT record. Supported by certbot plugins: Cloudflare, Route53, DigitalOcean, dozens more.

Below: step-by-step, working examples, common pitfalls, FAQ.

Check your site's SSL →

Step-by-Step Setup

  1. Pick a DNS provider with a certbot plugin (Cloudflare, Route53, Gandi, DigitalOcean)
  2. Install the plugin: apt install python3-certbot-dns-cloudflare
  3. Create a credentials file with an API token (chmod 600)
  4. Run: certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini -d "*.example.com" -d example.com
  5. Cert lands in /etc/letsencrypt/live/example.com/ — fullchain.pem + privkey.pem
  6. Enable auto-renew: systemctl enable --now certbot.timer
  7. Verify: Enterno SSL checker for any subdomain

Working Examples

ScenarioConfig
Cloudflare credentialsdns_cloudflare_api_token = YOUR_TOKEN_HERE
Route53 (AWS)certbot --dns-route53 -d "*.example.com" -d example.com
Manual DNS-01 (any DNS)certbot certonly --manual --preferred-challenges dns -d "*.example.com"
Force renewcertbot renew --force-renewal --cert-name example.com
deploy-hook for nginx reloadcertbot renew --deploy-hook "systemctl reload nginx"

Common Pitfalls

  • HTTP-01 challenge does NOT work for wildcards — DNS-01 only
  • Wildcard does not cover the apex (*.example.com ≠ example.com). Add both with -d
  • API token with minimum permissions (DNS:Edit zone only, not Account:Read)
  • Let's Encrypt rate limit: 5 duplicate certs per week. Force renewal counts as new
  • Manual DNS-01 does not support auto-renewal — use a plugin or switch to a provider with API

TL;DR: How to Obtain a Let's Encrypt Wildcard Certificate

To obtain a Let's Encrypt wildcard certificate, you must use the ACME protocol with a DNS challenge. This requires a DNS provider that supports API access for adding TXT records. Use the command certbot certonly --manual --preferred-challenges=dns --email your-email@example.com --agree-tos -d '*.yourdomain.com' to initiate the process. Follow the prompts to add the necessary DNS TXT records for verification.

Step-by-Step Guide to Getting a Let's Encrypt Wildcard Certificate

Obtaining a Let's Encrypt wildcard certificate involves several steps that ensure your domain is secure and validated. Here’s a detailed breakdown:

  1. Prerequisites: Ensure you have the following before starting:
    • A registered domain name.
    • A DNS provider that allows API access or manual entry of DNS records.
    • Certbot installed on your server. You can install it using the command:
    • sudo apt-get update && sudo apt-get install certbot
  2. Choose Your Validation Method: Let's Encrypt allows for various validation methods. For wildcard certificates, you must use the DNS challenge. This method requires you to create a specific TXT record in your DNS settings.
  3. Initiate the Certificate Request: Use Certbot to request your wildcard certificate. The command structure is as follows:
  4. certbot certonly --manual --preferred-challenges=dns --email your-email@example.com --agree-tos -d '*.yourdomain.com'
  5. Follow the Prompts: After executing the command, Certbot will provide you with a DNS TXT record that you need to add to your domain’s DNS settings. For example, it might instruct you to create:
  6. Type: TXT
    Name: _acme-challenge.yourdomain.com
    Value: abcdefghijklmnopqrstuvwx
  7. Add the DNS Record: Log in to your DNS provider's management console and add the TXT record as specified by Certbot. Save your changes.
  8. Verify DNS Propagation: Before proceeding, ensure the DNS record has propagated. You can check this using tools like DNS Checker or by using the command:
  9. dig TXT _acme-challenge.yourdomain.com
  10. Complete the Certificate Request: Once the DNS record is confirmed, return to your terminal where Certbot is running. Press Enter to allow Certbot to verify the record. If successful, you will receive confirmation and your wildcard certificate files will be generated.
  11. Locate Your Certificate Files: By default, Certbot stores your certificates in /etc/letsencrypt/live/yourdomain.com/. You will find the following files:
    • fullchain.pem: The certificate file.
    • privkey.pem: The private key file.
  12. Configure Your Web Server: Depending on your web server (e.g., Apache, Nginx), you will need to configure it to use the new wildcard certificate. For example, in Nginx, your server block might look like:
  13. server {
    listen 443 ssl;
    server_name *.yourdomain.com;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    }
  14. Test Your Configuration: After updating your server configuration, test it to ensure everything is functioning correctly. You can use a command like:
  15. sudo nginx -t
  16. Renew Your Certificate: Let's Encrypt certificates are valid for 90 days. To automate the renewal process, you can set up a cron job by running:
  17. echo '0 0 * * * /usr/bin/certbot renew --quiet' | sudo tee -a /etc/crontab > /dev/null
  18. Conclusion: Following these steps will allow you to successfully obtain and implement a Let's Encrypt wildcard certificate, enhancing the security of your domain and its subdomains.
CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Frequently Asked Questions

Why wildcard if I can issue a cert per subdomain?

Wildcard is convenient for dynamic subdomains (auto-created). For a fixed set — individual certs are simpler (better revocation granularity).

Multi-level wildcard (*.*.example.com)?

No — Let's Encrypt supports only single-level (*.example.com). Deeper levels need a separate cert.

Is a wildcard safe?

If the private key is safe — yes. On compromise, the attacker reaches every subdomain at once. 90-day rotation (automatic) reduces risk.

Wildcard + SAN for apex?

Yes: <code>-d "*.example.com" -d example.com</code> creates a cert with SAN = [*.example.com, example.com]. Common practice.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.