Introduction to the

Wildcard certificates are SSL certificates that can protect any number of subdomains with a single certificate. When you need to support multiple subdomains but don’t want to configure them individually, you may need a wildcard certificate.

Let’s Encrypt is an SSL certificate authority that uses an automated API to grant free certificates. In this tutorial, you will follow these steps to create a Let’s Encrypt wildcard certificate.

  1. Make sure your DNS Settings are correct
  2. Install the Certbot plug-in required to complete the DNs-based challenge
  3. Authorize Certbot to access your DNS provider
  4. Take out your certificate

This information is useful for any Linux distribution and any server software, but you may need to fill in some of the gaps with more documentation, which we’ll link to in the next few minutes.

The premise condition

This tutorial assumes that you already have the following qualifications.

  • The Certbot tool is installed0.22.0Or higher. If you need help installing Certbot, please visit ourLet's EncryptTAB, where you can find installation guides for various Linux distributions and servers. Some common Settings are listed below.
    • How do I protect Nginx with Let’s Encrypt on Ubuntu 20.04?
    • How do I protect Apache with Let’s Encrypt on Ubuntu 20.04
    • How to obtain Let’s Encrypt SSL certificate using Certbot independent mode on Ubuntu 18.04
  • A domain name, and a Certbot supported DNS provider. See Certbot’s LIST of DNS plug-ins for a list of supported vendors.

Let’s start setting up and testing our DNS records.

Step 1 — Set up the wildcard DNS

Before we obtain wildcard SSL certificates, we should ensure that our servers can respond to requests from multiple subdomains. This is usually done by setting the _ wildcard DNS record _, which looks similar.

*.example.com.   3600  IN  A  203.0.113.1
Copy the code

* Wildcards are treated as proxies for any host name. The DNS records for this example will match one.example.com, and two.example.com. It will not match bare example.com, nor will it match one.two.example.com because the * wildcard extends to only one host name, not multiple names.

Also, wildcard DNS records can have only _ one wildcard, so *.*.example.com is not allowed.

Refer to your DNS vendor’s documentation to set up the correct DNS entries. Before proceeding, you add an A or CNAME wildcard record.

** Note: ** If you use DigitalOcean to manage your DNS, see how to Create, Edit, and Delete DNS Records in our product documentation for more information.

To test whether your wildcard DNS is working as planned, use the host command to query some host names.

host one.example.com
Copy the code

Make sure to use your own domain name and host name instead of the domain name above. Also, keep in mind that DNS records can sometimes take several minutes to propagate through the system. If you just added your DNS record and got an error, wait a few minutes and try again.

When the hostname you entered resolves correctly, you should see output similar to the following.

Outputone.example.com has address 203.0.113.1
Copy the code

Otherwise, you will see an NXDOMAIN error.

OutputHost one.example.com not found: 3(NXDOMAIN)
Copy the code

Once you have verified that multiple subdomains can resolve to your server, you can proceed to the next step, where you will configure Certbot to connect to your DNS provider.

Step 2 – Install the Certbot DNS plug-in correctly

Before issuing the certificate, Let’s Encrypt performs a challenge to verify that you control the host for which you are applying. In the case of wildcard certificates, we need to prove that we control the entire domain name. We do this by responding to a DNS-BASED challenge, which Certbot answers by creating a special DNS record in the target domain. Let’s Encrypt’s server then validates the record before issuing the certificate.

To connect to your DNS provider, Certbot needs a plug-in. See Certbot’s list of DNS plug-ins for the name of the plug-in that is appropriate for your DNS provider.

For example, the provider of DigitalOcean is called Certbot-DNS-DigitalOcean. You can install certbot-dnS-DigitalOcean on Ubuntu and Debian by installing the following package.

sudo apt install python3-certbot-dns-digitalocean
Copy the code

Other plug-ins should follow the same naming format. If you are using a different service, change the name of your provider to the command above.

On CentOS and other RPm-based distributions, the installation command may be DNF.

dnf install python3-certbot-dns-digitalocean
Copy the code

Or yum.

yum install python3-certbot-dns-digitalocean
Copy the code

You may also need to install additional package libraries on these distributions to gain access to the Certbot plug-in package.

To verify that the plug-in is installed correctly, you can ask Certbot to list its current plug-ins.

certbot plugins
Copy the code
Output- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-digitalocean
Description: Obtain certs using a DNS TXT record (if you are using DigitalOcean
for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-digitalocean =
certbot_dns_digitalocean.dns_digitalocean:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Copy the code

In the output above, the DNS-DigitalOcean plug-in is listed first, along with the default standalone and Webroot plug-ins.

After you confirm that the correct plug-in is installed, proceed to the next step of configuration.

Step 3 – Configure the Certbot plug-in

Since Certbot needs to connect to your DNS provider and create DNS records on your behalf, you need to give it permission to do so. This involves getting an API token or other authentication information from your DNS provider and putting it in a secure credentials file from which Certbot will then read.

Since each vendor has a different authentication process, please refer to the documentation for your specific Certbot DNS plug-in for more information about which tokens or keys you need to obtain.

In this example, we will continue to use the dnS-DigitalOcean plugin and store our credentials in the file ~/certbot-creds.ini.

We will create this file using the Nano text editor.

nano ~/certbot-creds.ini
Copy the code

This will open a new blank text file. You add your information according to your specific DNS provider’s instructions. DigitalOcean needs an API token, so it will look like this.

~/certbot-creds.ini

dns_digitalocean_token = 235dea9d8856f5b0df87af5edc7b4491a92745ef617073f3ed8820b5a10c80d2
Copy the code

Be sure to replace the example token above with your own information.

Save and close the file. If you are using Nano, type CTRL+O (for “write”), press ENTER, then CTRL+X, exit.

After creating the file, you will need to restrict its permissions so that your secrets are not revealed to other users. The following chmod command will only give your user read and write permissions.

chmod 600 ~/certbot-creds.ini
Copy the code

Once you have established your certificate file, you are ready to actually apply for the certificate.

Step 4 – Retrieve the certificate

In this regard, obtaining a Let’s Encrypt wildcard certificate is similar to a “normal” non-wildcard certificate. The main change in this process is to specify dnS-BASED challenges and point to our DNS credentials file. In addition, we will use a wildcard field with the -d flag.

sudo certbot certonly \
  --dns-digitalocean \
  --dns-digitalocean-credentials ~/certbot-creds.ini \
  -d '*.example.com'
Copy the code

Note that you cannot use the –nginx or — Apache plug-ins to automatically configure wildcard certificates for these servers. Instead, we use the certonly command to download only the certificate.

When running the above command, if you are running Certbot for the first time, you may encounter some questions that need to be answered. After answering these questions, Cerbot will challenge, Let’s Encrypt server will verify, and your new certificate will be downloaded and saved to /etc/letsencrypt/. You should see output similar to the following.

OutputIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2021-09-27. To obtain a new or tweaked version of  this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leCopy the code

You have successfully generated a wildcard SSL certificate! Your next step is to configure your server application to use it. We’ll link to some resources that can help you in the next section.

conclusion

In this tutorial, you have configured Certbot and downloaded the wildcard SSL certificate from the Let’s Encrypt certificate Authority. You are now ready to configure your server software to use this certificate to secure its connection.

For more information about which certificate files have been downloaded and how to handle gracefully restarting your application when Certbot automatically updates your certificate, See steps 3 and 4 of our tutorial on how to use Certbot independent mode on Ubuntu 18.04 to get Let’s Encrypt SSL certificates.