Generally, certificates are tied to one or more specific domain names, so if you have a certificate for “www.example.com,” you can only use it with this exact domain name. On the other hand, wildcard certificates are issued for a parent domain name and can be used with any subdomain of the parent domain. For instance, a wildcard certificate for *.example.com can be used for “www.example.com,” “account.example.com,” “mail.example.com,” etc. Wildcard certificates, hence, bring the benefit of only having to obtain and renew a single certificate for all your present and future subdomains. Here’s how to obtain a wildcard certificate for a registered domain name from Let’s Encrypt on Ubuntu, Debian and other Debian-based distributions.
1. Installing acme.sh
Let’s Encrypt uses the Automated Certificate Management Environment (ACME) protocol to verify that you own your domain name and to issue/renew certificates. Acme.sh is a popular ACME client implemented in shell script. To install it, you will first need to install git: Download the repository from github: Enter the cloned directory and start the installation script: Reload your shell session to start using acme.sh:
2. Using acme.sh to issue wildcard certificates.
In order for Let’s Encrypt to issue a wildcard certificate, you must solve a DNS-based challenge known as Domain Validation (DV). Acme.sh conveniently integrates with the APIs of many major DNS providers and completely automates this process.
Cloudflare
If you are using Cloudflare’s DNS service, log in to your account and copy your global API key. Save it as an environment variable on your system: You can now request a wildcard certificate:
NameCheap
If you are using NameCheap nameservers, follow their instructions on enabling API access, then export the required variables: Request a wildcard certificate:
DigitalOcean
If your domain uses DigitalOcean’s DNS, follow their instructions on creating a personal access token with read and write permissions. Export your API key/token: Request a wildcard certificate:
GoDaddy
If your domain uses GoDaddy’s DNS, copy your API key and secret. Export them to your environment: Request a wildcard certificate:
Vultr
If you are using Vultr’s DNS, you will need your personal access token or a sub-profile with “Manage DNS” privileges. Request a wildcard certificate:
RackSpace
If you are using RackSpace, you will need your username and API key. Export them as shown below: Request a wildcard certificate:
Manual Process
If you do not want or are unable to use the API provided by your DNS vendor, you can manually create a DNS record to complete the domain validation challenge, though you will also have to repeat this manual process regularly to renew your domain. This command will display a verification token which you will have to add as a DNS TXT record.
Copy the token and log in to your DNS control panel. Create a new DNS record of type TXT for the _acme-challenge subdomain and paste the token.
Wait a few minutes for the new record to become accessible, then request the certificate:
File Locations
You will find your certificate and other relevant files in the “.acme.sh” directory in your home folder.
The certificate itself is saved as “~/.acme.sh/.example.org/.example.org.cer.” The certificate key is saved as “~/.acme.sh/.example.org/.example.org.key.” This file should be kept private and never shared. The fullchain certificate file, which is what you will most likely use, is saved as “~/.acme.sh/*.example.org/fullchain.cer.” This file combines your certificate with that of the issuing authority (known as the intermediate certificate).
Follow the steps above, and you will be able to get a Let’s Encrypt wildcard domain certificate.