Securing websites has transitioned from an option to a necessity, especially with most modern browsers flagging unsecured sites. Fortunately, Let’s Encrypt has made the process of obtaining SSL certificates far easier and free of charge. One particularly powerful option it offers is the wildcard SSL certificate, which secures a domain and all its subdomains. Whether you’re managing a single site with multiple subdomains or running a complex infrastructure, this comprehensive guide will walk you through obtaining and installing a Let’s Encrypt Wildcard SSL certificate.
What is a Wildcard SSL Certificate?
A wildcard SSL certificate allows you to secure multiple subdomains on a single domain with one certificate. For example, a certificate for *.example.com will cover:
www.example.comblog.example.commail.example.com
This is especially useful for businesses and developers who host several services or environments under different subdomains.
Why Choose Let’s Encrypt?
Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that offers digital certificates to enable HTTPS (SSL/TLS) for websites. The main advantages include:
- Free of charge: No cost for certificates or renewal.
- Automatic issuance: Integration with automation tools like Certbot makes deployment easy.
- Security: Encourages HTTPS adoption by making it accessible to everyone.
Prerequisites for a Wildcard Certificate
Before you dive into issuing a wildcard certificate, make sure you have the following:
- Administrative access to your DNS provider.
- Ability to modify DNS TXT records (needed for domain validation).
- A Linux or Unix-like server (preferred for automation using Certbot).
Step-by-Step: How to Obtain a Let’s Encrypt Wildcard SSL Certificate
Step 1: Install Certbot
Certbot is a powerful automation tool offered by the Electronic Frontier Foundation (EFF). To install it, run:
sudo apt update
sudo apt install certbotFor Red Hat or CentOS systems, use yum or dnf in place of apt.
Step 2: Install the DNS Plugin
Let’s Encrypt wildcard certificates require DNS-01 challenge for domain validation. This means Certbot must interact with your DNS provider. Choose the appropriate DNS plugin:
python3-certbot-dns-cloudflarefor Cloudflarepython3-certbot-dns-route53for AWS Route 53python3-certbot-dns-googlefor Google DNS
Install the plugin like this (example for Cloudflare):
sudo apt install python3-certbot-dns-cloudflareStep 3: Create API Credentials
Each provider requires its own authentication method. For example, Cloudflare uses an API token. Create a credentials file with restricted permissions:
touch ~/.secrets/certbot/cloudflare.ini
chmod 600 ~/.secrets/certbot/cloudflare.iniInsert your API credentials into it:
dns_cloudflare_api_token = your_cloudflare_tokenStep 4: Issue the Wildcard Certificate
Use Certbot with your DNS plugin to request the wildcard certificate. Here’s a typical command:
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
-d "*.example.com" -d example.comWhat this command does:
certonly: Obtain the certificate without installing it immediately.--dns-cloudflare: Tells Certbot to use the Cloudflare DNS plugin.-d "*.example.com" -d example.com: Secures both the base domain and all of its subdomains.
How to Install the Certificate
Step 1: Locate the Certificate
The certificates will typically be stored in:
/etc/letsencrypt/live/example.com/You’ll find the following files:
- cert.pem – Your domain certificate
- privkey.pem – Your private key
- chain.pem – The CA chain
- fullchain.pem – Cert + chain combined
Step 2: Configure Your Web Server
For Nginx:
Modify your server block to include:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;For Apache:
Use the following directives inside your <VirtualHost> block:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
Automating Renewal
Let’s Encrypt certificates are only valid for 90 days. Fortunately, Certbot supports automatic renewal. To test the renewal command, run:
sudo certbot renew --dry-runAdd a cron job or systemd timer to automate renewals:
0 1 * * * /usr/bin/certbot renew --quietTroubleshooting Tips
Sometimes things don’t go as planned. Here are a few helpful troubleshooting tips:
- Permission errors: Ensure your API credential file has proper permissions (
chmod 600). - DNS propagation delays: The DNS-01 challenge relies on propagation. Wait a few minutes and try again if it fails initially.
- Incorrect domain name format: Always use a wildcard like
*.example.comand also includeexample.com. - Plugin not found: Make sure the DNS plugin is correctly installed and compatible with your Certbot version.
Best Practices
To make the most out of your wildcard SSL certificate, follow these best practices:
- Restrict API credentials: Limit the scope of API tokens to required domains and actions only.
- Use fullchain.pem: For compatibility, especially with older clients.
- Checkpoint changes: After updates or renewals, test your services to avoid downtime.
- Set up monitoring: Use tools or scripts to regularly check certificate validity.
Conclusion
With Let’s Encrypt offering free wildcard SSL certificates, there’s no excuse for leaving your subdomains unsecured. Whether you’re a novice webmaster or a seasoned sysadmin, automating the obtaining and renewal of wildcard certificates is a worthwhile skill in today’s HTTPS-centric landscape.
By following this guide, you’ve learned how to configure Certbot, interact with your DNS provider, install the certificate on your server, and automate its renewal—laying a solid security foundation for your domain and its ever-expanding ecosystem of subdomains.
Remember, securing your site doesn’t stop with SSL; keep your systems, plugins, and servers up to date as well.
