sylvain durand

Wildcard certificates with Let’s Encrypt

Launched in late 2015, Let’s Encrypt is a public benefit organization which democratized the use of HTTPS by providing free SSL certificates with an automated validation system.

After several months of testing, Let’s Encrypt has launched the second version of its client (ACME v2) with a highly anticipated feature: you can obtain wildcard certificates, valid for all subdomains of one domain.

This possibility is particularly interesting when using many subdomains: so far, it was necessary to issue a new certificate to add a new subdomain, or to delete an old one. Here, a simple *.domain.tld is enough!


To get our certificates, we will use the certbot client. The site offers several installation methods depending on your platform. On Debian, you can simply use:

sudo apt-get install certbot

Issuing a certificate manually

Be careful, if you want a certificate for both the domain root (domain.tld) and its subdomains (*.domain.tld), both must be specified. With the -d parameter, it is possible to list the desired domains and subdomains:

sudo letsencrypt certonly --manual --preferred-challenges dns --register -d domain.tld -d *.domain.tld

Let’s encrypt will now have to ask us to prove that we have control over the domain names requested. It will request the creation of a specific TXT record in the DNS zone of the domain name, which can be done from your registar:

Please deploy a DNS TXT record under the name
_acme-challenge.domain.tld with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue

Two TXT records will be requested for the same domain, it is completely normal (for both domain.tld and *.domain.tld).

Once created, the certificate is located in /etc/letsencrypt/live/domain.tld.

This certificate cannot be renewed automatically: it is necessary, as it approaches its expiration, to renew the step.

Automated request: example with OVH

Fortunately, there are plugins to certbot allowing to automatically request certificates, which take care of modifying the DNS themselves to proceed with the validation. For example, under Debian, the following packages are provided:

# apt-cache search certbot-dns

Depending on your registrar, you can find documentation on their API and how to set up renewal. I am an OVH customer:

sudo apt-get install python3-certbot-dns-ovh

Then we go on to create a token in link with his account (be careful, we have to indicate his login of type xx00000-ovh and not his email address) with the following rules:

GET /domain/zone/*
PUT /domain/zone/*
POST /domain/zone/*
DELETE /domain/zone/*

We get the generated data to create the file:

dns_ovh_endpoint = ovh-eu
dns_ovh_application_key =
dns_ovh_application_secret =
dns_ovh_consumer_key =

We give it restricted rights, and then we can create a certificate:

sudo chmod 600 /root/.ovh.ini
sudo certbot certonly --dns-ovh --dns-ovh-credentials /root/.ovh.ini -d "domain.tld" -d "*.domain.tld"