Do you plan to do it manually or you could use a script to automate the process?. I mean, depending on the answer you could use certbot-auto or use another client like acme.sh.
Right now, the package for Debian Stretch is 0.10.2, if you want a package with a recent version you should install it using stretch-backports but the package offered is version 0.21.1 and you need version 0.22.0 or above to be able to issue a wildcard cert so I would install certbot-auto and you will get always the last version.
To get a wildcard certificate using certbot-auto and manually add the TXT records:
certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'yourdomain.tld,*.yourdomain.tld'
Edit: I forgot to add the server for acme v2 (with version 0.23.0 you won't need to add this parameter)
Note: you will receive info to add the required TXT records to validate your domain, keep in mind that in the above command the cert will cover yourdomain.tld and *.yourdomain.tld (if you don't want yourdomain.tld, simply remove it from the command -d '*.yourdomain.tld'.
Note2: with this method, you won't be able to renew the certificate automatically so you will need to renew it manually.
If you can provide a script to add the txt records and delete them once validated:
certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --manual-auth-hook "/path/to/hook-script.sh" --manual-cleanup-hook "/path/to/hook-clean-script.sh" -d 'yourdomain.tld,*.yourdomain.tld'
Edit: I forgot to add the server for acme v2 (with version 0.23.0 you won’t need to add this parameter)
Note: with this method you will be able to renew the cert automatically.
If you don't have your own script, maybe the API used by your DNS provider is covered by lexicon (Manipulate DNS records on various DNS providers in a standardized/agnostic way.) you can use this wonderful guide created by @_az to use lexicon with certbot-auto to automate the process.
As I said, acme.sh has a ton of DNS providers included to automate the process, take a look to its site and you will see the DNS providers included and examples to issue wildcard certificates.
I hope this helps.
Cheers,
sahsanu