Create certificate for domain contain alot of subdomain


If i have Domain and this domain contain some subdomains like ,,, …
how can i create this cert ? via below command, right?

certbot certonly -d “*” -d


Hello @amna

that creates a wildcard-certificate with two entries - * and

Do you want this or do you want 10 explicit certificates

There are different options with different consequences to use the certificate.


Hi @JuergenAuer ,
thanks alot for your quick replay, as far as i know one certificate contain 100 names. i’d like to know how to create certificate for main domain so i can create certificate to sub domain as name under main domain setificate not a new certificate?

my question with anther meaning?

  1. if i want to create wildcard certificate, should i put all sub-domains or can i put *
  2. if i should add all sub-domains, if i want to add new sub-domain after first creation, this will consider new cert or will consider sub cert for main domain

  1. You can create a certificate with * and So you need not to list all subdomains in one certificate.

  2. You would need a new certificate with this name.

I am using also a * - certificate. It’s easy, I can add a new subdomain, I don’t need to create a new certificate.

But: Wildcard-certificates require ACME-v2, available since ~~ 03 / 2018. So check if your certbot is updated. And: dns-01 is required, so you have to add two dns-entries with the same name _acme-challenge, one with the *-hash, one with the hash of


Hi JuergenAuer,
how to set DNs entry to * and sorry for my bad question but in my case every vhost may be point to different ip for example locat on server1 so in DNS entry point to server1_IP locat on server2 so in DNS entry point to server2_IP locat on server3 so in DNS entry point to server3_IP locat on server4 so in DNS entry point to server4_IP locat on server5 so in DNS entry point to server5_IP

and so on …


The IP-addresses of your subdomains are irrelevant.

If you want to get a * + - certificate (with two alternate names), you have to create two txt-entries.

with two different values.

Depending on your DNS-hoster, you may only create two entries


because the is added automatic. And the two values - Certbot may show these.

First use the staging system and create a certificate * (without


sorry didn’t get your point, can you plz provide me example


Use your first command. But use the test/stage-system. There is a Certbot-option to use the testsystem, but I don’t use certbot.


Let me clarify what i understood, i can install wildcard certificate by the one of the below
Option 1
git clone
cd ./
./ --install --issue -d * --dns --force (during run this step will show me message to set DNS entry, should i set as below or should i put IP of server " i can’t put specific IP as each vhost point to different IP server"
TXT record _acme-challenge
value : “…” )

certbot -d *
dns certonly
(during run this step will show me message to set DNS entry, should i set as below or should i put IP of server " i can’t put specific IP as each vhost point to different IP server"
TXT record _acme-challenge
value : “…” )

please confirm if this is correct specially DNS entry part


I don’t understand this. DNS - txt-entries don’t use the ip-address.

And there is no global way, that depends of your dns-provider. My dns-provider has a menu (grouped by domain).

This creates a valid entry for


Hi @JuergenAuer,
i have used the below command to issue the wildcard certificate and set txt DNS entry for this domain
./ --issue -d * --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Now i want to set the ssl vhost for each domain but i am not sure how?, as far as i know i should do the below

  1. copy csr, key.chain to server1,server2,server3,… (any servers that i have vhost with domain * then configure ssl vhost file.
    " should i copy certificate from the server that i have installed in or should i install in all servers"

Another questions related to renew:
can i renew wildcard certificate via the below cron job
./ --issue -d * --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew --force


That depends on your server software.

I don’t use and don’t know the options.


No, because it will require manual interaction each time. And you don’t want --force in a cron job, as you’ll blow the rate limits pretty quickly.


what do you mean manual interaction? you mean every time that i renew certificate, i should change txt DNS entry


Every time you renew the certificate, you have to change the TXT entry.

(Unless you have validated the name recently, but then you’d have no reason to renew.)


What @mnordhoff said, and that you’ll have to do it manually. And you’re (incorrectly, apparently) telling you understand that when you use the “–yes-I-know-dns-manual-mode-enough-go-ahead-please” flag. If you want automatic renewal (which you should), you need to be using a DNS host with a supported API so that the TXT records can be updated by the script.


thanks alot for your reply so i should enable api call for DNS host( i use godaddy " godaddy API" ) then write script to automatic change txt record


If you’re using Godaddy for your DNS, you don’t need to write anything; already supports the Godaddy API:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.