How to Get a Wildcard Domain DNS TLS Certificate from Let's Encrypt with certbot
Let’s Encrypt is a free and open Certificate Authority that offers SSL/TLS certificates to secure web traffic. In addition to standard domain validation, Let’s Encrypt also supports wildcard domain validation, which allows you to secure all subdomains of a domain with a single certificate. In this tutorial, we’ll walk through the steps of obtaining a wildcard domain DNS TLS certificate from Let’s Encrypt.
Step 1: Prerequisites
Before we start, make sure you have the following prerequisites installed on your system:
- Certbot: Let’s Encrypt provides an official client called Certbot for generating and renewing certificates. You can install Certbot on your system by following the instructions on the official - Certbot website: https://certbot.eff.org/
- DNS Provider: You’ll need to have access to your DNS provider’s API key or account credentials, as we’ll be using DNS validation to obtain the wildcard certificate. Make sure your DNS provider is one of the supported providers by Certbot, which you can find on the following link: https://certbot.eff.org/docs/using.html#dns-plugins
Step 2: Generate the Wildcard Domain DNS TLS Certificate
Once you have Certbot installed and your DNS provider credentials, you can use the following command to obtain the wildcard domain DNS TLS certificate:
sudo certbot certonly --dns-<dns-provider> --dns-<dns-provider>-credentials /path/to/credentials/file -d '*.example.com' -d example.com --preferred-challenges dns-01
Make sure to replace <dns-provider> with the name of your DNS provider and /path/to/credentials/file with the path to the credentials file for your DNS provider.
The -d option specifies the domain names for which you want to obtain the certificate. In this case, we’re obtaining a wildcard certificate for all subdomains of example.com.
The --preferred-challenges option tells Certbot to use DNS validation instead of HTTP validation. DNS validation involves creating a TXT record for the domain name, which Certbot will use to verify ownership of the domain.
Example of obtaining a wildcard domain DNS TLS certificate from Let’s Encrypt using Cloudflare as the DNS provider
If you don’t have an API key, you can generate one by going to your Cloudflare dashboard, clicking on your profile picture in the top right corner, selecting “My Profile”, and then scrolling down to the “API Tokens” section.
Generate the Wildcard Domain DNS TLS Certificate
Use the following command to obtain the wildcard domain DNS TLS certificate:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /path/to/cloudflare.ini -d '*.example.com' -d example.com --preferred-challenges dns-01
Make sure to replace /path/to/cloudflare.ini with the path to your Cloudflare API key credentials file. The credentials file should have the following format:
dns_cloudflare_email = your_email@example.com
dns_cloudflare_api_key = your_cloudflare_api_key
Replace your_email@example.com with your Cloudflare email address, and your_cloudflare_api_key with your Cloudflare API key.
Step 3: Install the Wildcard Domain DNS TLS Certificate
After running the above command, Certbot will generate the wildcard domain DNS TLS certificate and store it in a directory on your system. You can find the location of the certificate by running the following command:
sudo certbot certificates
This command will show a list of all the certificates installed on your system, including the wildcard certificate we just generated.
To use the certificate in your web server, you’ll need to configure the web server to use the certificate. The specific instructions for doing this will depend on the web server you’re using. Refer to the documentation for your web server for more information.
Congratulations! You now have a wildcard domain DNS TLS certificate from Let’s Encrypt.