With the internet, web and computer security becoming a crucial part of our everyday lives. It has become more important than ever to ensure that you have SSL certificates on your website. Just last week, Google Chrome, one of the major browsers with a 59% market share is highlighting the need for SSL in the latest update. Below is a screenshot of how Chrome presented websites before and after the update.

With that said, getting an SSL certificate can cost you an upwards of about $80 a year. Let’s Encrypt has completely changed the game when it comes to this. In the last couple of years, with the support of big companies such as Google, Mozilla and Cloudflare, Let’s Encrypt has been providing completely free SSL certificate for all websites.

Now let’s talk about Let’s Encrypt, Let’s Encrypt is an SSL certificate authority (similar to GoDaddy, Verizon, Trsutwave, StartCom among others) managed by the Internet Security Research Group (ISRG). It utilizes the Automated Certificate Management Environment (ACME) to automatically deploy free SSL certificates that are trusted by nearly all major browsers. According to the last update from Let’s Encrypt, they have issued about 70 million certificates.

Now, let’s get to the purpose of this tutorial. When Let’s Encrypt launched they were only issuing certificates for single domains. Basically, you couldn’t get a wildcard certificate. If you have multiple subdomains, such as sub1.domain.com, sub2.domain.com etc, you have to list all the domains when generating the certificate. Every time you added a new subdomain, you had to add the domain to regenerate the certificate.

The good news is that a few weeks ago, Let’s Encrypt introduced the ability to generate wildcard certificates for domains such as *.domain.com. That way, all subdomains get covered by one certificate. This is a total game changer. This can save time, money and make it flexible when working with SSL and subdomains.

In this tutorial, we will be covering how to generate a wildcard SSL certificate for a domain. Before we start we want to make sure that you have the prerequisites. For the purpose of this article, we will be installing it on Ubuntu, however, most of the concepts apply to other operating systems.

First, we want to install git. We will be using that to install certbot, which will be allowing us to install the certificate.

# apt-get update
# apt-get upgrade
# apt-get install git
# cd /opt
# git clone https://github.com/certbot/certbot.git

After successfully installing the certbot app, you can run change directory into the certbot folder by typing cd certbot. Once you are in the folder, you then run the command below by specifying your email, and a list of domains. Since we are working on generating a wildcard certificate, you have to specify the root domain and all subdomains. In this case we just specify pagewoo.com and then *.pagewoo.com.

./certbot-auto certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.pagewoo.com -d pagewoo.com

Once you have run that command, certbot will ask you to add a TXT record to your domain to confirm that you own the domain. In your DNS provider, you’ll create a new DNS TXT record with. Record Name: _acme-challenge (you may or may not need the .pagewoo.com suffix depending on your DNS provider. Record Value: VWHqMqojnAZb8oLV2ZMaqaeUUyiTAX4-3KeokqJ69hE (replace this with the value provided by Certbot).

Since DNS entries take a while to propagate, you want to reduce the TTL on them to make the change show up. If you are using cloudflare, you can set the TTL to 2 min to make the changes show up quickly.

Save your DNS settings and hit Enter in the Certbot window to trigger the check. Below you will see the complete output of how the output looks once you run the certbot.

[email protected]:~/certbot# ./certbot-auto certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.pagewoo.com -d pagewoo.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/pagewoo.com.conf)

It contains these names: *.pagewoo.com

You requested these names for the new certificate: *.pagewoo.com, pagewoo.com.

Do you want to expand and replace this existing certificate with the new
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for pagewoo.com
dns-01 challenge for pagewoo.com

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name
_acme-challenge.pagewoo.com with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue

Please deploy a DNS TXT record under the name
_acme-challenge.pagewoo.com with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-06-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Once you have successfully installed the certificate, you can check whether the certificate has been successfully installed by running the command ./certbot-auto certificates. This lists the domains and the location when the certificate files are located.

[email protected]:~/certbot# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: pagewoo.com
    Domains: *.pagewoo.com pagewoo.com
    Expiry Date: 2018-06-26 19:07:50+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/pagewoo.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/pagewoo.com/privkey.pem
[email protected]:~/certbot#

Once you see an output like the one displayed in the snippet above, you can then update your web server with the correct paths. We hope you enjoyed reading this tutorial and it helped you set up a free wildcard SSL certificate for your domain.

How to Generate A Free Wildcard SSL Certificate with Let’s Encrypt for Your Domain on Ubuntu
Rate this post

Join over 20,000 users and get our best content

Each week we send 1 email to 20,000 smart entrepreneurs just like you. Enter your email below to join the crew.

Thank you for subscribing.

Something went wrong.