Free Wildcard SSL Certificates with Let’s Encrypt

This article describes how to obtain free wildcard SSL/TLS certificates using Let’s Encrypt (Certbot) on Ubuntu 24.04.

You need to install SSL certificates to operate your website over HTTPS. You can purchase certificates from a certificate authority or obtain free ones from Let’s Encrypt.

Let’s Encrypt is a certificate authority that offers free SSL/TLS certificates through a completely automated process, which removes the need for manual certificate creation, validation, installation, and renewal.

You can install these certificates on your web servers to serve HTTPS traffic to your users.

In this guide, you will learn how to generate a wildcard SSL certificate for your domain using Certbot.

Install the Let’s Encrypt Certbot Tool

To generate your free wildcard certificates, ensure that Certbot is installed and running. You can install it by running the commands below:

sudo apt update
sudo apt-get install letsencrypt

The commands above will install the Certbot tool and all necessary dependencies required for its function.

Generate Let’s Encrypt Wildcard SSL Certificate

Now that the tool is installed, you can generate certificates.

Let’s Encrypt offers various methods for you to validate your ownership of a domain before you can obtain SSL certificates. You need to prove your ownership of the domain in order to generate certificates.

However,  for wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.

So, to generate a wildcard cert for domain *.example.com, you run the commands below. You should also include the bare domain when registering.

sudo certbot certonly --manual --preferred-challenges=dns --email admin@example.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d example.com -d *.example.com

The command options above are explained below:

• certonly:                                     Obtain or renew a certificate, but do not install
• –manual:                                    Obtain certificates interactively
• –preferred-challenges=dns:      Use DNS to authenticate domain ownership
• –server:                                      Specify the endpoint to use to generate
• –agree-tos:                                 Agree to the ACME server’s subscriber terms
• -d:                                               Domain name to provide certificates for

After executing the command above, Let’s Encrypt will provide a text string to add a text record to your DNS entry.

Example:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

x4MrZ6y-JqFJQRmq_lGi9ReRQHPa1aTC9J2O7wDKzq8

Before continuing, verify the record is deployed.

Access your DNS provider’s portal, add a TXT record for the above string, and save your changes.

Wait a few minutes before continuing from the prompt. Some DNS providers may take time to propagate changes, depending on your provider’s platform.

After making the changes above, when Let’s Encrypt verifies that you own the domain, you should see a successful message like the one below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-01-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The wildcard certificate is now generated and ready to be used.

To verify that the certificate is ready, run the commands below:

sudo certbot certificates

That should display a similar screen as below:

Found the following certs:
  Certificate Name: example.com
    Domains: *.example.com
    Expiry Date: 2020-01-05 07:48:04+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Now, Let’s Encrypt’s certificates are valid for 90 days. You’ll want to find a way to automate renewals or manually renew the certificate until there’s a better way to manage it.

You’re all set!

Conclusion:

• Generating a free wildcard SSL/TLS certificate using Let’s Encrypt is a straightforward process that enhances your website’s security.
• The Certbot tool simplifies the installation and management of SSL certificates through a fully automated system.
• Always keep your Certbot and certificates up to date to ensure continuous web security and functionality.
• Remember that your Let’s Encrypt certificates will expire every 90 days, so set up reminders or automated renewal processes.
• Backing up your Certbot configuration directory is crucial for safeguarding your keys and certificates.
• Support the efforts of organizations like ISRG and EFF to maintain free encryption services for everyone.