Blog

The Ultimate Guide to Getting and Renewing Let’s Encrypt Wildcard SSL Certificates

6 min read
1 hour ago

In today’s digital world, securing your website is no longer optional—it’s essential. One of the most efficient and cost-effective ways to do that is by using Let’s Encrypt Wildcard SSL certificates. These certificates not only add a layer of trust for your users by enabling HTTPS but also cover multiple subdomains with a single certificate. Whether you’re a developer, sysadmin, or entrepreneur running several subdomains under one main domain, this guide will walk you through everything you need to know about obtaining and renewing Let’s Encrypt Wildcard SSL certificates.

What is a Wildcard SSL Certificate?

A wildcard SSL certificate is a type of digital certificate that secures a main domain and all its subdomains at a single level. For example, a wildcard certificate for *.example.com will secure:

  • www.example.com
  • blog.example.com
  • shop.example.com
  • any-subdomain.example.com

This becomes incredibly useful when you’re managing multiple services or platforms across subdomains and want to manage SSL security more efficiently.

Why Choose Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA) backed by the Internet Security Research Group (ISRG). It aims to make SSL/TLS encryption accessible to everyone. Some of its key benefits include:

  • Free of charge – No cost for issuance or renewal.
  • Automated – Certificates can be issued and renewed automatically.
  • Trusted – Accepted by all major browsers.
  • Secure – Uses strong encryption standards.

Let’s Encrypt wildcard certificates are available through the ACME v2 protocol, and this guide will show you how to leverage that using a popular client: Certbot.

Prerequisites for Getting a Wildcard SSL Certificate

Before you can get a wildcard certificate, you’ll need:

  • A registered domain name (e.g., example.com).
  • DNS access for your domain, as you will need to add TXT records.
  • A server or local machine with Certbot installed.
  • Administrative or root access to the environment you’re working in.

Wildcard certificates require DNS-01 challenge validation, so HTTP or webroot methods won’t work here.

WP Force SSL Certificate

Step-by-Step: How to Get a Let’s Encrypt Wildcard Certificate Using Certbot

Here is how to get your first wildcard SSL certificate from Let’s Encrypt using Certbot with manual DNS challenge mode:

1. Install Certbot

You can install Certbot on your Linux server with the following command:

sudo apt update
sudo apt install certbot

For Red Hat-based distributions, use:

sudo yum install certbot

2. Request the Certificate

Run the following command to start the certificate request process:

sudo certbot -d "*.example.com" -d example.com --manual --preferred-challenges dns certonly

This will tell Certbot to use the DNS-01 challenge and obtain a certificate for both your wildcard domain and your root domain.

3. Add TXT Records

Certbot will prompt you to add a specific TXT record to your DNS for domain validation. Go to your domain registrar or DNS manager and add the record exactly as instructed. Make sure to:

  • Insert the TXT record under _acme-challenge.example.com
  • Wait for DNS propagation (use tools like DNSChecker to confirm)

Once verified, Certbot will proceed and generate your certificate files, usually stored in /etc/letsencrypt/live/.

Automating Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, so setting up an automated renewal process is crucial. Unfortunately, wildcard certs with manual DNS challenges can’t be renewed automatically unless you use DNS APIs supported by Certbot plugins.

Option 1: Manual Renewal

If you’re okay repeating the DNS process every 90 days, simply run:

sudo certbot renew --manual

Follow the prompts to update your TXT record and complete the renewal.

Option 2: Using DNS-API Plugins

Certbot supports several DNS plugins that can interact with your DNS provider’s API to automatically add TXT records for you. For instance:

sudo apt install python3-certbot-dns-cloudflare

You’ll need to provide an API token or credentials in a secure config file and then request the certificate like so:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d "*.example.com" -d example.com

Now your wildcard SSL certificate can be renewed automatically via cron or systemd timers.

Best Practices and Tips

  • Use staging before production: Test certificate issuance using Let’s Encrypt’s staging environment to avoid hitting rate limits.
  • Monitor expiration: Set up notifications using monitoring tools or scripts to alert you before certificate expiry.
  • Limit privileges: Ensure your API credentials have the least privilege necessary to add and remove DNS records.
  • Back up your credentials: Keep a secure backup of your certificate files and related configuration.

Common Errors and Troubleshooting

Here are some common errors people encounter while getting Let’s Encrypt wildcard certificates and how to fix them:

DNS Propagation Delay
If Certbot can’t find your TXT record, wait a few minutes and double-check using online DNS tools.
Rate Limits
Let’s Encrypt limits your ability to generate certificates. Avoid repeated testing or use the staging environment.
Missing DNS Plugin
If Certbot complains about a missing DNS plugin, make sure it is properly installed (e.g., pip install certbot-dns-namecheap).

When to Start Fresh

If you’ve been rotating certificates manually for some time or encounter persistent errors, it may be best to start from scratch:

  • Revoke the existing certificate: sudo certbot revoke --cert-path
  • Delete old files from /etc/letsencrypt
  • Initiate a fresh certificate request

Alternative Tools to Certbot

While Certbot is the leading tool for requesting Let’s Encrypt certificates, several alternatives exist, especially if you’re looking for integrations with specific platforms:

  • acme.sh – A lightweight and flexible bash script that supports over 80 DNS providers.
  • lego – Written in Go, it’s popular for use inside containerized environments.
  • Win-ACME – Best suited for Windows servers with GUI capabilities.

Final Thoughts

Using Let’s Encrypt Wildcard SSL certificates is not only smart but also accessible to everyone. With the right tools, a bit of configuration, and this guide, you can easily secure your domain and all its subdomains.

As you scale, automate the process using DNS plugins or switch to ACME clients that better fit your deployment environment. Regular SSL implementation not only improves SEO and trust but also ensures data integrity and privacy for your users.

Ready to take your website’s security up a notch? Secure your domain today with Let’s Encrypt Wildcard SSL and build a safer internet one subdomain at a time.