Since yesterday Let's Encrypt supports wildcard certificates so you can issue a certificate for all subdomains of a domain. This is very nice and powerful but how can you create such certificates?
First of all, you need the latest version of certbot (preferably the git version). Start the certificate process using the following command. You need to replace vgapps.de with your domain.
certbot -d vgapps.de -d *.vgapps.de --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns certonly
(perhaps you need to replace certbot with ./certbot-auto, especially in the git version) Why are we using the --server-option? It is possible that certbot wants to use the old ACME v1 endpoint which doesn't support wildcard certificates (especially when you have an existing LE installation). Therefore we need to help out certbot a little bit. It's likely that you need to enter your email address and accept the terms of service (again) because of the new endpoint.
Now the following text is shown (with your domain data of course):
Please deploy a DNS TXT record under the name _acme-challenge.vgapps.de with the following value: 3AAfr7vk6_Ik0yg8SA_i-aiRagt11E34AdfXM3PuhFU
You need to create a TXT record with the displayed value in your DNS zone now.
If you use the options as shown above you will see a second key. You need to create a second record because every requested domain needs its own TXT record for the challenge and validation. It's possible to create multiple Resource Records for one domain. Your DNS records can look like this:
_acme-challenge.vgapps.de. 300 IN TXT "3AAfr7vk6_Ik0yg8SA_i-aiRagt11E34AdfXM3PuhFU" _acme-challenge.vgapps.de. 300 IN TXT "4BAfr7vk6_Ik0yg8SA_i-aiRagt11E34AdfXM3PuhAB"
Update the DNS zone and check the TXT record. Then press enter again. Now certbot requests the certificate. The issued certificate data is located in /etc/letsencrypt/live/. The TXT records aren't needed until you need to renew your certificate.