If you want to obtain a wildcard certificate using Let’s Encrypt’s new ACMEv2
server, you’ll also need to use one of Certbot’s DNS plugins. Your Certbot version must be at least 0.22.0.
If you’re on CentOS/RHEL 7, Arch Linux, or Fedora 26+, you can install the appropriate Certbot DNS plugin for your DNS provider, as described below. Particular instructions for each provider can be found at certbot.eff.org. If you’re not on one of these distros and want a wildcard certificate ASAP, you have two options: install packages using Docker or use Certbot’s manual plugin.
Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates or configure your webserver, because Certbot’s installer plugins cannot reach your webserver from inside the Docker container.
Alternatively, the manual plugin can be used outside of a Docker image, and therefore interact with webservers to install the certificates, but it cannot be used to automatically renew the certificates.
Either way, for now you’ll need to add the --server
flag to specify the new endpoint:
--server https://acme-v02.api.letsencrypt.org/directory
Note: 0.22.0 users should not attempt to use --dry-run
or --staging
, as these flags tell Certbot to use the ACMEv1 staging endpoint. This was fixed for 0.22.1+.
Option 1: Run Certbot in Docker
We recommend reading the full instructions, available here: https://certbot.eff.org/docs/install.html#running-with-docker
In short, there are Docker images for each of Certbot’s DNS plugins available at https://hub.docker.com/u/certbot which automate doing domain validation over DNS for popular providers.
Information about specific DNS plugins can be found here: https://certbot.eff.org/docs/using.html#dns-plugins
Option 2: Use the manual plugin
You can install the manual plugin using certbot-auto
:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
certbot-auto
accepts the same flags as certbot
; it installs all of its own dependencies and updates the client code automatically.
Then, the command to use the manual plugin will look something like this:
./certbot-auto certonly --manual -d *.example.com -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Make certain that certbot-auto
isn’t being run with --no-self-upgrade
, so that the latest version is fetched.