Upgrading to use wildcard domains existing subdomains


I would like to upgrade to using wildcard subdomains. I already have certbot-auto (0.22) and running Ubuntu 16.04.4 LTS

I currently have letsencrypt certs for domain and subdomains. Eg.:


What is the best method to convert from certs using specific subdomains to a wildcard subdomains.

You’ll just need to issue a new certificate covering mydomain.com and *.mydomain.com. This may be slightly different than how you first issued your current certificate, as wildcards require the use of dns-01 authorization, as opposed to http-01.

I’m moving this to ‘help’ instead of ‘issuance tech’ - could you elaborate on your setup and how you initially issued your certificate?

1 Like

Initially I used this procedure https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

Then I updated to certbot-auto 0.22 and added new domains/subdomain to /etc/apache2/sites-available/mydomain.com-le-ssl.conf then ran this below:
$ sudo ./certbot-auto --expand --apache

So just wondering what to do now that wildcards are supported. Do I need to revoke/delete the subdomain certs and redo with just mydomain and *.mydomain and manually update apache conf files?

And do I need a DNS A and CNAME record for each subdomain still? OR can I add a wildcard in DNS.

Here is my DNS sample what it looks like:

A mydomain.com
CNAME www.mydomain.com

CNAME *.sub1.mydomain.com
A sub1.mydomain.com

CNAME *.sub2.mydomain.com
A sub2.mydomain.com

I finally did this.

Create wildcard and main domain cert

$ sudo ./certbot-auto certonly  \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d mydomain.com -d *.mydomain.com

You will be asked to enter 2 challenges in your DNS as type TXT. Verify each one with following command in a different terminal before continuing.

$ nslookup -type=TXT _acme-challenge.mydomain.com

When done, you will be told where your certs are. Either point your ssl conf files to that folder, or in my case I just renamed the old, mydomain.com and created a symbolic link in that same folder called mydomain.com

$ ln -s   /etc/letsencrypt/live/mydomain.com-0001 \

Nothing to restart unless you change your apache conf files.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.