This short tutorial explain how to generate Wildcard SSL Certificates using Let’s Encrypt on Debian-based distros!

Before you begin, make sure that no DNS changes have been made to your domain’s Nameservers (NS) in less than 1 hour. This is to ensure that certificate validation can occur in normal time.

Let’s get started!

Step 1 – Install Let’s Encrypt Certbot

Before generating your free Wildcard certificates, you must first ensure that certbot is installed and running. To install it, run the commands below:

sudo apt update
sudo apt-get install letsencrypt

Step 2 – Generate the Wildcard Certificate

To generate Wildcard certificates, the only challenge method accepted by Let’s Encrypt is the DNS validation method. You cannot validate Wildcard certificates using the HTTP method.

After you gain access to your domain’s DNS manager, run the command below and replace the sample domain with your domain:

sudo certbot certonly --manual --preferred-challenges=dns --email --server --agree-tos -d -d *

The command options above are explained below:

  • certonly : Obtain or renew a certificate, but do not install
  • -manual: Get certificates interactively
  • –preferred-challenges=dns: Use DNS for authentication
  • –server: Specify the terminal to use to generate
  • -agree-tos: Agree to ACME server subscriber terms
  • -d: Domain names to provide certificates

After you run the above command, Let’s Encrypt will provide a text string to add a TXT record to your DNS entry.

The output of the command looks like the example below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name with the following value:
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Go to your DNS manager and add a text record (TXT) to the first sequence that appears in your command prompt!

Wait about 3-5 minutes before press Enter to continue. Some DNS providers take a long time to propagate changes.

Certbot can ask you to add a second sequence using the same subdomain (name) and this is allowed for TXT entries!

Wait about 3-5 minutes before press Enter to continue. You can also use some online DNS record checker to make sure that the TXT record is accessible by the certificate validator. I recommend to check DNS records.

After receiving the TXT entry(s), Let’s Encrypt will validate and confirm that you own the domain, you will see a success message like this below:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-06-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

We’re all set!

The Wildcard certificate is now generated and ready to be used!!!

Step 3: Check the certificate

To verify that the certificate is ready, run the commands below:

sudo certbot certificates

This should display a screen similar to the one below:

Found the following certs:
  Certificate Name:
    Domains: *
    Expiry Date: 2020-06-07 07:48:04+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

Bonus: Set up auto-renewal

One important thing: Let’s Encrypt certificates are valid only for 90 days. If you don’t want to sign in to the server whenever you need to renew the certificate, you can configure an automated Cron task to automatically renew your certificate after a certain period of time. Open Crontab with the command below:

sudo crontab -e

Select your preferred text editor and add the line below:

0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

Save and that’s it!

Congratulations! Now you know how to set up a Let’s Encrypt Wildcard certificate with auto-renewal!