How to issue ACMEv2 Wildcard with Certbot 0.22.0?

Well, Cloudflare provides DNS hosting at no cost, and has a well-supported API. So much for that argument.

You can get if you request a certificate with overlapping domain name coverage under some circumstances. Most of the time this behavior is not quite what people wanted and maybe we should have been more cautious about it. (Most often, it occurs if you request a new certificate that lacks coverage for at least one name that was part of the prior certificate, without specifying via --cert-name that the new certificate is meant as a replacement for the previous one.)

Normally, renewals will cause new files to be saved in /etc/letsencrypt/archive/ and the symbolic links in /etc/letsencrypt/live/ to be updated to point to those files. So, if you use the names in /etc/letsencrypt/live in your server configuration, you won't have to change that configuration in response to the renewal. The original file names and paths will point to the versions corresponding to the renewed certificate.

Revoking it shouldn't have been necessary. Deleting it... also shouldn't be necessary, but may be convenient.

Thanks That makes a lot of sense. For our staging/testing not a big issue and we have documented in our doc area. Good knowledge as we deploy to production…

Thanks for the reply and explanation

Not sure why I got the error and only appeared to work after we removed...! May have done something in that did not make it work the first time. Why we are testing on our staging site.
Thanks for the reply

It’s so easy man :slight_smile:
Just one note: when you issue a wildcard cert
sudo ./certbot-auto certonly --server --manual --preferred-challenges dns -d * -d
First write the wildcard and next the base domain. You HAVE to write the base domain as well otherwise the base domain will error.
If you switch them, all domains/subdomains will work, but the webbrowser will only display the base-domain on the certificate.
First wildcard, next base-domain will display it correctly *

I hope that other certificate authorities will now realise they’ve been filling their pockets for many years and will now have a very hard time keeping their heads up.

May Let’s Encrypt live long. Thanks for this amazing initiative.

I just have one question concerning renewal. Will we have to issue
certbot-auto or certbot-auto renew
again each 3 months? (not that it’s much of a hassle, but just for information…)

You’ll have to renew the certificate every three months. Normally we recommend that you run certbot-auto renew twice a day, every day, from a cron job. certbot renew only tries to renew certificates that are less than 30 days from expiry, so most of the time it will take no action at all.

However, certbot-auto renew is unable to renew certificates that were issued with --manual because those require manual intervention in order to renew. So, you should re-run the complete certonly command again (or investigate a way to automate the issuance process with a DNS authenticator plugin or authentication hook script).

4 posts were split to a new topic: DNS-01 Wildcard Policy Feedback

For the new wildcard domain support… I do something like:

$cmd = “/opt/certbot/certbot-auto --server {$SERVER}
–cert-name {$domain}
-d *.{$domain}
-d {$domain}
–email {$email}
–preferred-challenges dns-01

to get my certs. This is in a script and there is no user input required.

I end up with ( on testing )

Waiting for verification…
Cleaning up challenges

  • The dry run was successful.

Prior to doing the wildcard txt stuff. I would renew my domains using something like:
$cmd = “/opt/certbot/certbot-auto renew”;

and it would renew all of the certs from my /etc/letsencrypt directory.

Since I am doing the wildcard txt entries now with:

can I still do

certbot-auto renew

or can I / should I do


to still do everything automatically? I have 100+ domains and don’t want to have to do anything manually.

Thanks - jack

@jacksnodgrass When you’re using --manual-auth-hook, you can use “certbot-auto renew”. The manual auth hook command is remembered in the renewal configuration file and will be executed (non-interactively) when it’s renewing.

Thanks for the info. That is excellent news.

Don’t want to hijack the thread and I think this question is mostly related… there is a cleanup hook:

Are we supposed to use this to REMOVE / DELETE the DNS TXT records what we add to verify the domain with this hook. I assume so… but want to double check. I don’t want to validate the wild card cert and then remove the DNS TXT keys that it used and have my cert invalidated.

Some sites ( google ) that have you add DNS TXT records want them to stay around. Just making sure that the Letsencrypt auth records can be removed when the script completes.

Thanks - jack

Yes, once you issue the certificate you are free to remove the TXT records. You’ll need to create new records when you renew with different values, of course, but Let’s Encrypt only checks during issuance.

It’s a good idea to remove them or else some future renewal may fail because the query response (containing all of the historic text records used for previous challenges) is too large.

Let’s Encrypt only checks these at the time of issuance and the expected values for future issuance are always different.

Works for me! perfect, thanks for your help.

How to renew this certificate ?

Unfortunately, certbot renew doesn’t work with manual mode. To obtain a renewed certificate, just rerun the command you used to issue the certificate in the first place, and select the “replace existing certificate” option if asked.

Can you provide multiple domains with -d while creating a wildcard cert or should it be one wildcard cert per domain?

Let’s Encrypt certificates can have 1 to 100 names. They can be wildcards or not wildcards in any combination.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.