Wildcard certificate using webroot certbot?

We are using one account on each server.

When we get first certificate on the server we use command:
certbot certonly --webroot -w /var/www/sslcert/domain1.com/ -d domain1.com -d www.domain1.com --email my.email@masterdomain.com --agree-tos

On same server, for next domains we use command:
certbot certonly --webroot -w /var/www/sslcert/domain2.com/ -d domain2.com -d www.domain2.com

and so on…
certbot certonly --webroot -w /var/www/sslcert/domain3.com/ -d domain3.com -d www.domain3.com

In nginx config , for each domain we have of course link to .wel-known:
server {
# more settings ....
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/sslcert/domain1.com/;

For renew certificate we use cron:
30 4 * * * certbot renew --quiet --renew-hook 'systemctl reload nginx'

This works just perfect, but question is how to get wildcard certificate for each domain?
Is the below scenario the correct way?

First certificate on the server do we use below command?
certbot certonly --webroot -w /var/www/sslcert/domain1.com/ -d domain1.com -d *.domain1.com --email my.email@masterdomain.com --agree-tos

On same server, for next domain do we use below command?
certbot certonly --webroot -w /var/www/sslcert/domain2.com/ -d domain2.com -d *.domain2.com

Is the above the correct way?

Wildcard certificates can only be attained using DNS validation. This is a policy decision by Let’s Encrypt.


Ok, this is no problem for me because all domains we have are our property, but how to do it?
Do we need to add txt record? what txt record?

Well, the specific invocation will depend on what DNS provider you use, and what mechanism/DNS plugin you use to perform the automatic DNS changes.

However, if you want to manually setup the TXT records, you may do that using:

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
--manual -d domain3.com -d "*.domain3.com"

ok, and after that? will certbot generate a txt record for each domain that we need to add into domain registrar? And after that what else do we need to do ?

Yes, Certbot will ask you to do something along the lines of:

Please deploy a DNS TXT record under the name
_acme-challenge.domain3.com with the following value:


Before continuing, verify the record is deployed.

Once for the main domain, and once for the wildcard.

After you verify that these records are active, you can continue, and then Certbot will generate your certificate.

Keep in mind that the records change between renewals, so if you wish for this to be automated, you need to use either a DNS plugin or a script that updates your DNS records automatically.

1 Like

:man_facepalming: Thanks @_az for the help
Some registrars that have api option take some time to propagate dns modification. So simplest and fastest way is to get cert for each domain and subdomain separately.

1 Like

You’re right, avoiding wildcards is ideal.

Regarding the propagation delay, people often have “sleeps” in their scripts to deal with that problem. There was another post on here where Linode had upto 20 minute delays on their DNS batch updates, so the user put a 20 minute delay in their Certbot script, and it worked out OK.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.