Migrating from subdomain individual certs to a wildcard cert for for primary domain

I pretty much understand how to use letsencrypt with certbot to request new subdomains for my primary (I have two active certs and they are being used successfully in nginx), but I'm bit fuzzy on how to convert from those to a wildcard cert for my domain using certbot.

Can anybody point to some instructions? I want to be able to easily fall back to my current configuration without screwing up what certbot has done successfully up to this point.

I truely appreciate any assistance!

I should of done a wildcard cert to begin with.....


1 Like

Welcome @Danathar

The Certbot docs have good info about using a DNS plug-in for a wildcard cert.

Are you sure a wildcard is needed? A single cert can have up to 100 domain names in it. Is it not workable to just add some more domain names to your existing certs?


Maybe there is something I don't fundamentally understand then (likely!)

So here is my current setup.

I requested and installed two certs:


My NGINX server has sites enabled for both of those domains, and I requested individual certs fpr each of those sites. So I can point my browser to https://foo1.mydomain.com or https://foo2.mydomain.com.

I'd like to add foo3.mydomain.com and foo4.mydomain.com but it seems rather inefficient to keep requesting certbot to pull even more certs. Not that I couldn't manage that, certbot does a great job at keeping them up to date and renewing them, but I can see myself going down a road where I'm requesting a new cert for even more sites I configured.

I thought what I needed to do is request one wildcard for mydomain.com then I could have as many sites as I wanted without new certs for each site.

Yes, if you plan to have many subdomains that frequently change a wildcard might be easier.

But, it's not a problem to continue doing what you are. If you have a large number of subdomains (like 50 say) you need to beware of Let's Encrypt rate limits. This is usually a concern only for hosting sites or large integrators though.


Yea, I can still continue what I am doing, but I'd like to know how I would do it. Seems like the migration could be complicated in that I don't quite know what certbot would do if I requested a wildcard cert on top of my certs right now?

On the rate limiting thing, nah...it's just my own personal web server that is private to me only, but I have different domains for different things I access as they are reverse proxies for things like Apache Guacamole or wetty or just serving up plain txt pages (my own notes for stuff).

A DNS challenge just gets a new cert. You would then manually configure nginx for a new ssl server block and the new cert (and point your existing ones to the new cert). You have some working server blocks so those could serve as a template for the new ones. If you used the nginx plug-in to get existing certs you may be able to use that for just the install. See the certbot docs for that too.

The biggest issue is whether your DNS provider has an API access supported by certbot. See the link I provided earlier. You could also move your DNS to a supported provider.

And, yes, this can be complicated. Only you can determine whether this extra effort is worth it. It doesn't sound like it to me but you are the one doing the work :slight_smile:


Yea, I thought as much. I use gandi DNS, so they probably would. They are a huge DNS provider.

There shouldn't be any issue with me replicating my server into a VM and attempting it. If I screw it up I can always fall back to my production server.

You are right though, from a purely "work" perspective it's not worth it, but of course I have an interest in understanding the process and possibly posting it to the web as a page for some poor soul like myself looking for an answer.

I've solved so many problems not re-inventing the wheel and by stumbling across some random blog that explained how somebody else somebody did it. Gotta contribute back to the universe of knowledge :slight_smile:

1 Like

The current certs would NOT be affected by obtaining a new one (even if it is a wildcard that can cover all the existing names).
[one cert has nothing to do with the other]

That said, you'd have to reinstruct the current HTTPS server blocks to use the wildcard cert [manually].
After that, you only need to renew the single cert [you can delete the others].
On any new subdomains, you should also manually create the HTTPS server block and use the existing wildcard [you can use any of the working blocks as a template to save time].


There is not a Gandi plug-in included with the Certbot package. But, there is one by a 3rd party described in this list. I can't vouch for it so take care. There are several other clever ways to use DNS challenges.

Another ACME client, acme.sh, has many more DNS plug-ins. It's gandi plug-in code is visible in their github

I applaud your desire to contribute. I've often found random blogs for key clues. Best of luck.


Thanks for the certbot plugin I'll take a look!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.