Configuring SSL for domain and subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: $sudo certbot -v -i nginx certonly --dns-route53 -d *

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-route53, Installer nginx
Requesting a certificate for *
Performing the following challenges:
dns-01 challenge for
Waiting for verification...
Cleaning up challenges
Reloading nginx server after certificate issuance

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/
Key is saved at: /etc/letsencrypt/live/
This certificate expires on 2023-01-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): reza@www:~$ certbot --version
certbot 1.31.0

Hi there, The issue is I am not sure my configuration is correct. Because I am using and, trying to use a wildcard, I use * in the configuration. Also, I don't know if the SSL certificate is written on the Nginx for each website. Would you please help me with this issue?

Could you please elaborate/explain what your issue is? In your output I'm seeing that your certificate has been created without any issue. In fact, it's probably the SECOND certificate issued already, looking at the -0001 suffix..


I think you should omit certonly from that command. That means to only get a cert and not install it. Yet, you've also said to use the nginx installer with -i switch. I think the nginx plug-in installer will not do anything when certonly is specified.

But, I don't have a system that I can test that exact combo with.


Correct. With the certonly subcommand, the installer will only be used to present the user a list of possible hostnames to get a certificate for and (since a certain version) reload the webserver.

As far as I know, this specific aspect (what an installer does do when using certbot) is not documented in the Certbot user guide, although the Getting certificates (and choosing plugins) section does mention that using certonly means Certbot will NOT install the certificate into the webserver.


Please show the output of:
certbot certificates


Hi there, The issue is I am not sure my configuration is correct. Because I am using and, trying to use a wildcard, I use * in the configuration. Also, I don't know if the SSL certificate is written on the Nginx for each website. Would you please help me with this issue?

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Serial Number: 3e553d460ea99f61ed91628096b9156fbac
Key Type: RSA
Domains: *
Expiry Date: 2023-01-03 16:42:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Serial Number: 47a96e049db30218918475d30234a17cb36
Key Type: RSA
Expiry Date: 2022-12-09 17:29:05+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/ and were created before. I wanted to create a wildcard certificate so that I can have and on the same virtual server.

It probably didn't install the certificate for you.
Nor did it create the corresponding HTTPS vhosts.
We can check the nginx config with the output of:
nginx -T


nginx -T.txt (15.9 KB)

As suspected, the only cert in use covers the names: &

As an example, to create the staging HTTPS vhost you could edit the file:
And make it look like the file:
[which has two vhosts (server blocks) in it]

You would only need to change the HTTPS vhost server names, root, and cert files to match:

        root /var/www/;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

then restart/reload nginx


Thank you, RG305, for your reply.
I have created the SSL certificate for and, but for the future, how can I create a wildcard with Certbot? This way, it will cover all subdomains.
This way, I can point all nginx config certifications to one directory.
Thank you.

1 Like

It looks like you created one with the command in your first post. Above is the output of certbot certificates display and the "Domains" shows a wildcard. But, your nginx was (and still is) configured to use the non-wildcard you got earlier.

rg305 showed the correct nginx lines to use that wildcard. Have you done made those changes?

Also, wildcard certs only cover subdomains - not the apex domain name. Usually with certbot you would specify -d -d * so both are covered.


So -d is a wildcard?
In other words, the domain apex, in this case, acts as a wildcard, and I can use the SSL certification for all subdomains.
Please correct me if I'm wrong.

No, -d * is the wildcard. But it only covers subdomains like:

and so on. It would not work for requests just to the apex like

Generally you specify both on the certbot request as many people like using their apex too


Thank you for the clarification.


I made the suggested changes based on RG305 recommendations and the nginx service is down.
Please see the attached staging configurations and the error.
Errors.txt (11.3 KB)
staging.tangohub.txt (1.6 KB)

2022/10/06 13:51:43 [emerg] 322129#322129: duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/

We should look at that file.


Line 31 is: listen [::]:443 ssl ipv6only=on; # managed by Certbot
www.tangohub.txt (1.6 KB)

I have not changed the configuration. Wondering why now there is an error.

I think the problem might be related to using "ipv6only=on".