This guide will is on How To Generate Let’s Encrypt Wildcard SSL certificate. As you may already know, Letsencrypt announced the release of ACME v2 API which is now ready for production. One of the features that people have been waiting for is the support for Wildcard certificates which was missing in ACME v1.
In this guide, I’ll show you the process of generating a wildcard Let’s Encrypt SSL certificate for use with your Web applications, validated manually using DNS. End users can begin issuing trusted, production-ready certificates with their ACME v2 compatible clients using the following directory URL:
https://acme-v02.api.letsencrypt.org/directory

Please note that you must use an ACME v2 compatible client to access this endpoint. You can consult our list of ACME v2 compatible clients.
Install certbot auto ACME
Run the following command to install certbot ACME v2 client that we’ll use to get wildcard ssl certificate.
# Ubuntu / Debian
sudo apt update
sudo apt install certbot
# Fedora
sudo dnf install certbot
# CentOS 8
sudo dnf -y install epel-release
sudo dnf -y install certbot
# CentOS 7
sudo yum -y install epel-release
sudo yum -y install certbot
Generate Wildcard Let’s Encrypt SSL Certificates
I’ll generate Wildcard certificate for *.computingforgeeks.com. One requirement is access to your DNS manager to verify domain ownership by adding a generated TXT record.
Run below command to start certificate request process;
certbot certonly --manual -d 'example.com,*.example.com' --agree-tos \
--no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 \
-m your-email-address \
--server https://acme-v02.api.letsencrypt.org/directory
You should get output similar to below:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for computingforgeeks.com
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.computingforgeeks.com with the following value:
UGa2-db4b-gj9aWAmS8UCnctThIMgRTWAWSeCK_zLVPAfaz6lvQ
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
It gives you a TXT record to add to your DNS, for me, the record is:
Name: _acme-challenge.example.com
TXT record: UGa2-db4b-gj9aWAmS8UCnctThIMgRTWAWSeCK_zLVPAfaz6lvQ
You can check propagation of the record using dig command in a separate shell session.
$ dig TXT _acme-challenge.computingforgeeks.com
; <<>> DiG 9.10.6 <<>> TXT _acme-challenge.computingforgeeks.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1778
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.computingforgeeks.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.computingforgeeks.com. 300 IN TXT "UGa2-db4b-gj9aWAmS8UCnctThIMgRTWAWSeCK_zLVPAfaz6lvQ"
;; Query time: 204 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Feb 06 12:43:50 EAT 2024
;; MSG SIZE rcvd: 122
After this is done and the record has been populated, press the enter key to continue. On successful generation, you should get output like below:
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.computingforgeeks.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/computingforgeeks.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/computingforgeeks.com/privkey.pem
This certificate expires on 2024-05-06.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The output gives you the full path to the private key and the certificate file. You can now use the certificate for your applications.
Renewing Let’s Encrypt Wildcard SSL Certs
To check certificates expiry date run:
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: computingforgeeks.com
Serial Number: 4ba0899d212539b77542909ddd89683b141
Key Type: RSA
Domains: computingforgeeks.com *.computingforgeeks.com
Expiry Date: 2024-05-06 08:48:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/computingforgeeks.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/computingforgeeks.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
To renew the certificates execute the following commands.
certbot certonly -d 'example.com,*.example.com' \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual \
--agree-tos \
--preferred-challenges dns
Similar content:
- Create locally trusted SSL Certificates on Linux and macOS with mkcert
- How to install OpenSSL on Windows Server 2019
- How To Secure GitLab Server with SSL Certificate