Getting wildcard certificates with Certbot

If you want to obtain a wildcard certificate using Let’s Encrypt’s new ACMEv2
server, you’ll also need to use one of Certbot’s DNS plugins. Your Certbot version must be at least 0.22.0.

If you’re on CentOS/RHEL 7, Arch Linux, or Fedora 26+, you can install the appropriate Certbot DNS plugin for your DNS provider, as described below. Particular instructions for each provider can be found at If you’re not on one of these distros and want a wildcard certificate ASAP, you have two options: install packages using Docker or use Certbot’s manual plugin.

Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates or configure your webserver, because Certbot’s installer plugins cannot reach your webserver from inside the Docker container.

Alternatively, the manual plugin can be used outside of a Docker image, and therefore interact with webservers to install the certificates, but it cannot be used to automatically renew the certificates.

Either way, for now you’ll need to add the --server flag to specify the new endpoint:


Note: 0.22.0 users should not attempt to use --dry-run or --staging, as these flags tell Certbot to use the ACMEv1 staging endpoint. This was fixed for 0.22.1+.

Option 1: Run Certbot in Docker

We recommend reading the full instructions, available here:

In short, there are Docker images for each of Certbot’s DNS plugins available at which automate doing domain validation over DNS for popular providers.

Information about specific DNS plugins can be found here:

Option 2: Use the manual plugin

You can install the manual plugin using certbot-auto:

chmod a+x certbot-auto

certbot-auto accepts the same flags as certbot; it installs all of its own dependencies and updates the client code automatically.

Then, the command to use the manual plugin will look something like this:

./certbot-auto certonly --manual -d * -d --preferred-challenges dns-01 --server

Make certain that certbot-auto isn’t being run with --no-self-upgrade, so that the latest version is fetched.


Could be I'm blind, but I'm not seeing any description on how to install the DNS plugins with the mentioned distributions.

Also, with Gentoo it's also childs play to install a DNS plugin for certbot. Only the ebuild(s) aren't available publically. I've made one for the RFC2136 plugin, but can't upload the ebuild at this moment.

Maybe it is interesting to note that you need two TXT DNS records with the same name but different content as noted in: In manual authenticator, explain that earlier challenges shouldn't be replaced by later ones #5729 and Fix requesting a certificate for a wildcard and the base domain in our lexicon plugins #5673, one for * and the other for

Also, you must assure that the key is deployed before continue, for instance with (if you are on GNU/Linux):

host -t txt

After the first challenge you must have one result, and after the second challenge you must have two results.

I had the same thought. Regardless, the actual instructions to install the DNS plugins are in the install page.

Basically, replace certbot in the install command with the DNS plugin you need i.e. certbot-dns-digitalocean for Digitalocean.

That said, this worked better than the instructions listed creating new wildcard certs (Note: this one renews an existing cert called

sudo certbot certonly --cert-name \
	--dns-digitalocean \
	--dns-digitalocean-credentials ~/digitalocean.ini \
	--server \
	-d "*" -d
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.