How to Generate A Free Wildcard SSL Certificate with Let’s Encrypt for Your Domain on Ubuntu

With the internet, web and computer security becoming a crucial part of our everyday lives. It has become more important than ever to ensure that you have SSL certificates on your website. Just last week, Google Chrome, one of the major browsers with a 59% market share is highlighting the need for SSL in the latest update. Below is a screenshot of how Chrome presented websites before and after the update.

With that said, getting an SSL certificate can cost you an upwards of about $80 a year. Let’s Encrypt has completely changed the game when it comes to this. In the last couple of years, with the support of big companies such as Google, Mozilla and Cloudflare, Let’s Encrypt has been providing completely free SSL certificate for all websites.

Now let’s talk about Let’s Encrypt, Let’s Encrypt is an SSL certificate authority (similar to GoDaddy, Verizon, Trsutwave, StartCom among others) managed by the Internet Security Research Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy free SSL certificates that are trusted by nearly all major browsers. According to the last update from Let’s Encrypt, they have issued about 70 million certificates.

Now, let’s get to the purpose of this tutorial. When Let’s Encrypt launched they were only issuing certificates for single domains. Basically, you couldn’t get a wildcard certificate. If you have multiple subdomains, such as, etc, you have to list all the domains when generating the certificate. Every time you added a new subdomain, you had to add the domain to regenerate the certificate.

The good news is that a few weeks ago, Let’s Encrypt introduced the ability to generate wildcard certificates for domains such as * That way, all subdomains get covered by one certificate. This is a total game changer. This can save time, money and make it flexible when working with SSL and subdomains.

In this tutorial, we will be covering how to generate a wildcard SSL certificate for a domain. Before we start we want to make sure that you have the prerequisites. For the purpose of this article, we will be installing it on Ubuntu, however, most of the concepts apply to other operating systems.

First, we want to install git. We will be using that to install certbot, which will be allowing us to install the certificate.

# apt-get update
# apt-get upgrade
# apt-get install git
# cd /opt
# git clone

After successfully installing the certbot app, you can run change directory into the certbot folder by typing cd certbot. Once you are in the folder, you then run the command below by specifying your email, and a list of domains. Since we are working on generating a wildcard certificate, you have to specify the root domain and all subdomains. In this case we just specify and then *

./certbot-auto certonly --manual --preferred-challenges=dns --email [email protected] --server --agree-tos -d * -d

Once you have run that command, certbot will ask you to add a TXT record to your domain to confirm that you own the domain. In your DNS provider, you’ll create a new DNS TXT record with. Record Name: _acme-challenge (you may or may not need the suffix depending on your DNS provider. Record Value: VWHqMqojnAZb8oLV2ZMaqaeUUyiTAX4-3KeokqJ69hE (replace this with the value provided by Certbot).

Since DNS entries take a while to propagate, you want to reduce the TTL on them to make the change show up. If you are using cloudflare, you can set the TTL to 2 min to make the changes show up quickly.

Save your DNS settings and hit Enter in the Certbot window to trigger the check. Below you will see the complete output of how the output looks once you run the certbot.

[email protected]:~/certbot# ./certbot-auto certonly --manual --preferred-challenges=dns --email [email protected] --server --agree-tos -d * -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/

It contains these names: *

You requested these names for the new certificate: *,

Do you want to expand and replace this existing certificate with the new
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-06-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Once you have successfully installed the certificate, you can check whether the certificate has been successfully installed by running the command ./certbot-auto certificates. This lists the domains and the location when the certificate files are located.

[email protected]:~/certbot# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name:
    Domains: *
    Expiry Date: 2018-06-26 19:07:50+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
[email protected]:~/certbot#

Once you see an output like the one displayed in the snippet above, you can then update your web server with the correct paths. We hope you enjoyed reading this tutorial and it helped you set up a free wildcard SSL certificate for your domain.