Certbot WildCard SSL Cert

This how-to is specific for grabbing a wildcard certificate for your domain using Certbot and Letsencrypt, with Certbot’s dns system. Specifically using their manual system.

It is fairly difficult to find an all-in-one how-to for getting a wildcard cert manually using Certbot.


Depending on the route you’d like to take, there’s plenty of ways to install Certbot for use. Even the installer script listed on their site is self-updating and, obviously, the most up-to-date way to use it.

I, currently, am using the Stretch-Backports installation route rather than downloading the binary directly. Installation through the apt system sets up a few behind-the-scenes steps for automating your renewal.

Debian Stretch

sudo apt-get install python-certbot-nginx -t stretch-backports

This will install Certbot, along with the nginx plugins through python, along with the manual DNS flag that we’re planning on using here.


if you want to use the automated DNS plugins, Certbot suggests you use their docker containers.


Most everything online will give you stupidly long command lines with a TON of flags and what not. I’d much rather use a nice configuration file!

# This `cli.ini` is for manually getting a wildcard cert
preferred-challenges = dns
cert-name = jpcdi.com
rsa-key-size = 4096
email = email@address.com
logs-dir = /etc/letsencrypt/logs/
# Use the ACME v2 staging URI for testing things
#server = https://acme-staging-v02.api.letsencrypt.org/directory
# Production ACME v2 API endpoint
server = https://acme-v02.api.letsencrypt.org/directory
domains = *.jpcdi.com, jpcdi.com

So, to break all that down:

Break Down

  1. manual - means to run with the --manual flag that you will see in a ton of commands online
  2. preferred-challenges - This is the challenge you’re wanting certbot to use, which for this how to is dns
  3. cert-name - This is specifically referencing the SSL Certs name for the Directories themselves. If you don’t pick a name here, you’ll end up with A TON of directories, with a ton of numbers and names. (Unless you want that, of course. This helps with automation)
  4. rsa-key-size - is just what it says, how big you want your key to be. 2048 or 4096, with 2048 being the default.
  5. email - this is an administrative need, to stop the program from asking interactively to give them your email and what not
  6. logs-dir - your logs directory
  7. keep-until-expiring - Makes sure to not create a bunch of duplicate certs
  8. expand - if a prior certificate already existed with one of your requested addresses, rather than overwriting that cert, it expands it with the new names you’ve requested to add.
  9. server - This one is more specific to our DNS address requesting, as a way to make sure we are getting a wildcard certificate. They are only available through the V2 Acme Protocol, so you have to specify the address to use. I’ve included the testing address as well, if you want to run certbot a bunch of times and not let it count against your weekly alotment.
  10. domains - This is where you include the domain addresses you want to use. Make sure you don’t JUST include the wildcard, but the root of the domain as well.

Running Certbot

When you use the manual DNS system, it will give you an address and TXT record that you’ll need to add to your main DNS Server’s addressing. It’ll be a good idea to make sure you’re logged into their website, or have the configuration pulled up to where you can make the addition and have it propogate out.

Luckily, the system is good and patient, willing to wait for you to take a while to get that TXT record setup.