Letsencrypt Wildcard SSL Certificates

Free Wildcard SSL Certificates for websites

In this article, we will discuss about getting wildcard SSL certificates from LetsEncrypt (sponsored by EFF, Mozilla, Google and a lot of other companies).

LetsEncrypt issues two kinds of certificate: Wildcard domain certificate and a simple (single domain) certificate.

The setup differs little for both of these certificates, like a simple certificate requires HTTP based file authentication and a wildcard certificate requires a TXT record based authentication.

There are many clients which offer GUI for generating certificates, but lack the verbosity of the terminal. And some end up giving you PFX format which you need to convert to PEM format before using. Here, we will go the terminal way.

Here, it is assumed that you do not have shell access and the instructions are made for using the Certbot ACME client in manual mode (obtaining certificate on a machine other than the target webserver). So, let's begin!

The first thing you would need is access to terminal. Then you will need to install OpenSSL and Certbot.

After both tools are installed, you can run:

sudo certbot certonly --manual --preferred-challenges dns -d example.com -d '*.example.com'

You can note from the above line that, you will need to enter both your naked root domain and a wildcard domain for your certificate to work on naked root domain (or else it will work only with sub-domains). Also, the *.example.com has been given in quotes to avoid the conflict of it being recognized by your terminal for some command.

The above method can also be used to acquire certificates for sub-domains which are pointed to private IP addresses like internal organization websites. To do that, use the sub-domain names in the above entries and proceed for dns based validation.

After entering this command, you will be asked for a valid email address for registering an account with the ACME server and agree to terms of service (if you have not done already).

Note: You can skip email address for getting a certificate using --register-unsafely-without-email option, but you will then be unable to receive notice about impending expiration or revocation of your certificates or problems with your Certbot installation that will lead to failure to renew.

You may be asked to sign up for receiving email newsletters from EFF.

After sign up is complete (a one time process for each machine), the certbot will try to perform the challenges. As the command above has chosen manual mode, you will be asked to add dns TXT records with instructions of same.

Now, for wildcard certificates, the output will be something like:

Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:


Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

After this you will have to add the DNS TXT record to your domain under name _acme-challenge. It is better to wait at least one hour and let this change propagate to all servers (including LE's verification server). As, if your validation fails, you might have to add another TXT record and wait again for the change to propagate all over again.

After successful completion, you might see output like:

Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your certificate will expire on 2021-06-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Congrats on getting your wildcard SSL certificate for free. These can be accessed at the path specified in the output. In my case, it was /etc/letsencrypt/live/example.com/. But, you might not be able to access this directory for obvious security reasons.

So, to access those, you need to set the permissions to 755 for both private key and directories containing it (/etc/letsencrypt/live/ and /etc/letsencrypt/archive/):

sudo chmod 755 /etc/letsencrypt/live
sudo chmod 755 /etc/letsencrypt/archive
sudo chmod 755 /etc/letsencrypt/live/example.com/privkey.pem

Example LE Certificate

After deploying these certificates to server, you can delete the dns text records that the challenge asked you to create. And it will be a good advice to restrict the access to the private key and certificate directories as well:

sudo chmod 700 /etc/letsencrypt/live/example.com/privkey.pem
sudo chmod 700 /etc/letsencrypt/live
sudo chmod 755 /etc/letsencrypt/archive

Example LE Certificate

After deploying these certificates to server, you can delete the DNS TXT record that the challenge asked you to place (you may keep them for easier renewal though). And it will be a good advice to restrict the access to the live and archive directories as well:

sudo chmod 700 live
sudo chmod 755 archive

And in case, your private key gets compromised, you can always revoke it using the following command:

sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

You may note that here the revoke command takes the certificate as its input. And you may specify a reason as well like --reason keycompromise. After revocation, the domain may be removed from the system to avoid accidental renewal:

sudo certbot delete --cert-name example.com

You might also get a renewal reminder from LetsEncrypt for renewal of your certificate 30 days prior to its expiry on your registered email.