Step-by-Step Tutorial for Setting Up Let’s Encrypt Wildcard Certificates on Your Server

Securing your website using HTTPS is an essential step in protecting user data and establishing trust. One of the most efficient and cost-effective ways to enable HTTPS is by using Let’s Encrypt, a Certificate Authority (CA) that provides free SSL/TLS certificates. Particularly, a wildcard certificate from Let’s Encrypt allows you to secure all of the subdomains of a domain with a single certificate. Setting up a wildcard certificate requires DNS validation, but once completed, the result is a secure environment for all services under your domain.

Why Choose Let’s Encrypt Wildcard Certificates?

Wildcard certificates offer a significant advantage by covering multiple subdomains under a single certificate. For example, a wildcard certificate for *.example.com will secure www.example.com, blog.example.com, and mail.example.com.

Let’s Encrypt certificates are:

• Free – No payment required for issuance and renewal.
• Automated – Tools like Certbot handle most of the setup and renewal processes.
• Trusted – Widely accepted and recognized by modern browsers.

This tutorial walks you through the detailed steps for acquiring and setting up a Let’s Encrypt wildcard certificate on your server using DNS-01 challenge validation.

Prerequisites

Before beginning, make sure you have the following:

• Access to the DNS provider or server where your domain’s DNS is managed
• A registered domain name (e.g., example.com)
• Command-line access to your server (typically via SSH)
• Root or sudo privileges on the server
• Python 3 installed for running Certbot

Step 1: Install Certbot

Certbot is a fully-featured, automated command-line tool that greatly simplifies obtaining and renewing Let’s Encrypt certificates.

For systems using Debian or Ubuntu:

sudo apt update
sudo apt install certbot

For CentOS or Fedora:

sudo dnf install certbot

Make sure Certbot is correctly installed by checking the version:

certbot --version

Step 2: Install or Configure a DNS Plugin (Optional)

To issue a wildcard certificate, you must use the DNS-01 challenge. Certbot supports DNS automation using plugins for many providers (e.g., Cloudflare, Google Domains, DigitalOcean).

If your DNS provider is supported, install the appropriate plugin. For example, for Cloudflare:

sudo apt install python3-certbot-dns-cloudflare

You’ll then need to create an API key or token with the correct DNS editing permissions and store it securely on your server (e.g., in ~/.secrets/cloudflare.ini).

If your DNS provider is not supported, you’ll need to manually set TXT records during the challenge.

Step 3: Run the DNS-01 Challenge Command

To generate a wildcard certificate with DNS-01 validation, use the following command:

certbot certonly --manual \
  --preferred-challenges dns \
  -d "*.example.com" -d example.com

You will see prompts instructing you to add a TXT record to your DNS for verification. The TXT entry should look something like this:

_acme-challenge.example.com. IN TXT "somevalue"

Add this record to your DNS settings and wait a few minutes for it to propagate. Then return to the terminal and press Enter. Certbot will confirm if the validation was successful.

Step 4: Locate and Backup the Certificate Files

If the verification process completes successfully, your wildcard certificate will be saved to the default Certbot directory:

• /etc/letsencrypt/live/example.com/fullchain.pem (certificate with intermediates)
• /etc/letsencrypt/live/example.com/privkey.pem (private key)

You can now configure your web server (Apache, Nginx, etc.) or application (e.g., email server, reverse proxy) to use these certificate files.

Step 5: Configure Your Server

This step varies depending on the web server in use. Below is an example for configuring Nginx to use the wildcard certificate:

server {
    listen 443 ssl;
    server_name *.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Additional configuration such as root, proxy settings, etc.
}

For Apache users, update your site’s SSL configuration to point to the certificate and private key paths.

Restart your server to apply the changes:

sudo systemctl restart nginx

or

sudo systemctl restart apache2

Step 6: Set Up Auto-Renewal

Let’s Encrypt certificates are only valid for 90 days, so it’s crucial to automate the renewal process to maintain site security. While Certbot sets up a cron job or systemd timer by default, you can manually test it with:

certbot renew --dry-run

If using a DNS API plugin, this process can be renewably automated. However, when doing manual DNS challenges, the renewal will also be manual unless an automated script can interact with your DNS provider.

Troubleshooting Tips

• TXT Record Not Found: Double-check syntax, make sure you remove quotes from the record key and only enclose value in quotes.
• DNS Propagation Delay: DNS updates can take time. Use online tools like DNS Checker to ensure proper propagation.
• Permission Issues: Ensure your Certbot environment has read access to DNS tokens or API credentials if using an automated method.

Security Best Practices

Once your certificate system is in place, take the following additional steps to maintain a secure environment:

• Restrict permissions on private keys to prevent unauthorized access
• Regularly test auto-renewal logic and cron tasks
• Enable HTTP to HTTPS redirection to enforce encrypted traffic
• Use strong cipher suites and enable HTTP/2 for improved performance and security

Conclusion

Setting up a Let’s Encrypt wildcard certificate might seem complex, especially with DNS validation requirements, but the benefits of securing multiple subdomains with a single certificate are immense. With tools like Certbot and the support of DNS plugins or APIs, the process becomes more streamlined and manageable. By following this step-by-step guide, you can confidently secure your domain infrastructure and ensure your users enjoy safe browsing experiences.

Remember, cybersecurity isn’t a “set it and forget it” task — stay vigilant with renewals, monitor your configurations, and update your setups according to evolving best practices.

By adopting a comprehensive SSL strategy through Let’s Encrypt and wildcard certificates, you solidify both the trustworthiness and reliability of your digital presence.