Wildcard Domain Step-By-Step


I just used Let’s Encrypt and Certbot to enable HTTPS on my website. I have a VPS and I’d like to make a certificate for a wildcard domain. I searched the forums and found several sources of information [1][2][3][5].
I couldn’t replicate the results in [3] because Debian Stretch’s certbot package is too old I think. The list of clients page [4] is extensive and intimidating. How do I setup wildcard domains? Do I need to install certbot-auto from source code as alluded in [3]? A step-by-step guide would be helpful.

[1] “Does Let’s Encrypt issue wildcard certificates?” https://letsencrypt.org/docs/faq/
[2] ACME v2 Production Environment & Wildcards
[3] Upgrading to use wildcard domains existing subdomains
[4] https://letsencrypt.org/docs/client-options/
[5] https://certbot.eff.org/faq/#will-let-s-encrypt-issue-wildcard-certificates
P.S. Seems I can’t make hyperlinks because I’ve got no street cred


Hi @coder0xff,

Let me ask you 2 questions.

1.- Do you really need a wildcard certificate for your domain?

2.- Does your DNS provider have some kind of API to update TXT records for your domain so you could automate the process to get a wildcard cert?.



Hi sahsanu,
My subdomains are going to be arbitrary, and they should all be secure. I’m able to update DNS records as needed, so I can do the DNS-01 challenge.



Do you plan to do it manually or you could use a script to automate the process?. I mean, depending on the answer you could use certbot-auto or use another client like acme.sh.

Right now, the package for Debian Stretch is 0.10.2, if you want a package with a recent version you should install it using stretch-backports but the package offered is version 0.21.1 and you need version 0.22.0 or above to be able to issue a wildcard cert so I would install certbot-auto and you will get always the last version.

To get a wildcard certificate using certbot-auto and manually add the TXT records:

certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'yourdomain.tld,*.yourdomain.tld'

Edit: I forgot to add the server for acme v2 (with version 0.23.0 you won’t need to add this parameter)

Note: you will receive info to add the required TXT records to validate your domain, keep in mind that in the above command the cert will cover yourdomain.tld and *.yourdomain.tld (if you don’t want yourdomain.tld, simply remove it from the command -d '*.yourdomain.tld'.

Note2: with this method, you won’t be able to renew the certificate automatically so you will need to renew it manually.

If you can provide a script to add the txt records and delete them once validated:

certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --manual-auth-hook "/path/to/hook-script.sh" --manual-cleanup-hook "/path/to/hook-clean-script.sh" -d 'yourdomain.tld,*.yourdomain.tld'

Edit: I forgot to add the server for acme v2 (with version 0.23.0 you won’t need to add this parameter)

Note: with this method you will be able to renew the cert automatically.

If you don’t have your own script, maybe the API used by your DNS provider is covered by lexicon (Manipulate DNS records on various DNS providers in a standardized/agnostic way.) you can use this wonderful guide created by @_az to use lexicon with certbot-auto to automate the process.

As I said, acme.sh has a ton of DNS providers included to automate the process, take a look to its site and you will see the DNS providers included and examples to issue wildcard certificates.

I hope this helps.



Just a quick warning:

Depending on your DNS provider, it can be incredibly dangerous to automate certbot/LetsEncrypt renewal via DNS-01 challenges, as the auth token must be available in plaintext and most providers offer too much control via their APIs. A compromised machine could result in all host records being changed, or (with some providers) a change in domain registrant details or even an outright domain transfer.

Ways to mitigate this are:

  • do not store the auth token, and trigger the renewal manually
  • run the renewal on a machine that is not on the public internet, and sftp/scp the certificates onto your server
  • run an instance of acme-dns, delegate your _acme-challenge to it, and automate the process with that.


It’s important to install and use certbot-auto v0.22 or later. https://certbot.eff.org/lets-encrypt/debianstretch-apache. Are you sure it’s not installed?

Login to your user and try this.

./certbot-auto --help all

If not check out this page:


If you want a one-command way to grab and renew, built for the novice needing a wildcard, you might want to try this:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.