How to Generate Wildcard SSL Certificates (*.example.com) with Let’s Encrypt and Certbot Using DNS-01 Challenge


3 views

When attempting to create a wildcard certificate using Certbot's default HTTP-01 challenge:

certbot-auto certonly --webroot --webroot-path /home/www/example/ \
--domain example.com --domain *.example.com --email certbot@example.com

You'll encounter the error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Let's Encrypt requires DNS-01 validation for wildcard certificates because:

  • HTTP-01 validation can't prove control over all possible subdomains
  • DNS TXT record modification demonstrates true domain ownership
  • It's the only method that scales for unpredictable subdomains

Here's the proper Certbot command for DNS-01 validation:

certbot certonly --manual --preferred-challenges=dns \
--domain example.com --domain *.example.com \
--email admin@example.com --agree-tos \
--manual-public-ip-logging-ok

The process will prompt you to create a DNS TXT record with specific content. For example:

_acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"

For production environments, automate with DNS plugins. Example for Route53:

certbot certonly --dns-route53 \
--domain example.com --domain *.example.com \
--email admin@example.com --agree-tos \
--non-interactive

Popular DNS plugins include:

  • --dns-cloudflare (Cloudflare)
  • --dns-digitalocean (DigitalOcean)
  • --dns-google (Google Cloud DNS)

For automated renewal, add to crontab:

0 0,12 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

After obtaining your certificate, verify it contains the wildcard:

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout | grep DNS

Wildcard certificates (*.example.com) require DNS-01 challenge validation because HTTP-01 validation cannot prove control over arbitrary subdomains. This is a security requirement from Let's Encrypt and other CAs.

  • Control over your domain's DNS records
  • Python 3.6+ installed
  • Certbot 1.12.0 or newer
  • DNS provider API credentials

1. Install Certbot with DNS plugins

sudo apt-get update
sudo apt-get install certbot python3-certbot-dns-cloudflare

2. Configure DNS provider credentials

Create configuration file for Cloudflare (example):

# /etc/letsencrypt/cloudflare.ini
dns_cloudflare_email = your@email.com
dns_cloudflare_api_key = 1234567890abcdef1234567890abcdef

3. Request wildcard certificate

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  --server https://acme-v02.api.letsencrypt.org/directory \
  -d '*.example.com' -d example.com

Create a renewal hook script:

#!/bin/bash
certbot renew \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  --post-hook "systemctl reload nginx"
# Verify DNS propagation
dig -t txt _acme-challenge.example.com

# Check Certbot logs
journalctl -xe -u certbot

Certbot supports multiple DNS providers through plugins:

# For AWS Route53
sudo apt-get install python3-certbot-dns-route53

# For DigitalOcean
sudo apt-get install python3-certbot-dns-digitalocean