How to create wildcard certificates with Let's Encrypt

by Viktor Garske on March 14, 2018, midnight, with 8 comments
Language icon Language: this article is available in: de

Since yesterday Let's Encrypt supports wildcard certificates so you can issue a certificate for all subdomains of a domain. This is very nice and powerful but how can you create such certificates?

First of all, you need the latest version of certbot (preferably the git version). Start the certificate process using the following command. You need to replace with your domain.

certbot -d -d * --server --manual --preferred-challenges dns certonly

(perhaps you need to replace certbot with ./certbot-auto, especially in the git version) Why are we using the --server-option? It is possible that certbot wants to use the old ACME v1 endpoint which doesn't support wildcard certificates (especially when you have an existing LE installation). Therefore we need to help out certbot a little bit. It's likely that you need to enter your email address and accept the terms of service (again) because of the new endpoint.

Now the following text is shown (with your domain data of course):

Please deploy a DNS TXT record under the name with the following value:


You need to create a TXT record with the displayed value in your DNS zone now.

If you use the options as shown above you will see a second key. You need to create a second record because every requested domain needs its own TXT record for the challenge and validation. It's possible to create multiple Resource Records for one domain. Your DNS records can look like this: 300 IN TXT "3AAfr7vk6_Ik0yg8SA_i-aiRagt11E34AdfXM3PuhFU" 300 IN TXT "4BAfr7vk6_Ik0yg8SA_i-aiRagt11E34AdfXM3PuhAB"

Update the DNS zone and check the TXT record. Then press enter again. Now certbot requests the certificate. The issued certificate data is located in /etc/letsencrypt/live/. The TXT records aren't needed until you need to renew your certificate.

Author image
Viktor Garske

Viktor Garske ist der Hauptautor des Blogs und schreibt gerne über Technologie, Panorama sowie Tipps & Tricks.

Comments (8)

Comments are not enabled for this entry.

Many thanks for this very helpful Howto! Works perfectly!

Question: The common name for the resulting certificate seems to be "", not "*" (no asterisk). This does not seem to be a problem for my client (Firefox), but I see, that other wildcard certificates (e.g. by GeoTrust) have the asterisk in the common name. Why is it different and can this difference lead to problems?

Avatar Viktor Garske moderator

July 13, 2018, 12:08 p.m.

If you look to RFC 6125 (sec. 1.5) you can see that the subjectAlternativeName is the relevant part for the certificate validation in your browser. Thus you can specify more than use dnsname (or with certbot: multiple -d options) being valid for your certificate. Modern browsers (esp. Chrome) only use the subjectAlternativeName instead of the common name. So, you need a subjectAlternativeName even if your cert is for one domain only. The common name should be one of the subjectAlternativeNames.

Certbot minds all this stuff and sets the first passed -d option as the common name and adds all domains being passed by the -d option to the subjectAlternativeName. Yes, I already saw that placing the wildcard name as the common name is recommended but I didn't encounter problems with this version. I choose this variant to obviate problems with "crazy" configuration files forcing you to escape the asterisk and so on.

If you want to create a cert with the wildcard as the common name just swap the -d options.

DNS TXT record? You didn't mention what file to edit for this.

Avatar Viktor Garske moderator

July 30, 2018, 5:32 p.m.

I didn't mention a particular file because it depends on your provider / hoster.
Some hosters let you edit the zone file using their web interface, some have an assistant to add DNS records / entries. Just ask them how to add DNS TXT records.

I just realized this was a DNS thing. Sorry about that.

Avatar Viktor Garske moderator

July 30, 2018, 5:33 p.m.

Okay, no problem.

For install a wildcard certificate, first I must uninstall the existing "non wildcard" certificate? Thanks in advance.

Avatar Viktor Garske moderator

July 17, 2019, 12:23 p.m.

You don't need to uninstall a certificate. You only need to provide the correct DNS TXT entries for the signing process.