Launched in late 2015, Let’s Encrypt is a public benefit organization which democratized the use of HTTPS by providing free SSL certificates with an automated validation system.
After several months of testing, Let’s Encrypt has launched the second version of its client (ACME v2) with a highly anticipated feature: you can obtain wildcard certificates, valid for all subdomains of one domain.
This possibility is particularly interesting when using many subdomains: so far, it was necessary to issue a new certificate to add a new subdomain, or to delete an old one. Here, a simple
*.domain.tld is enough!
To get our certificates, we will use the
certbot client. The site offers several installation methods depending on your platform. On Debian, you can simply use:
sudo apt-get install certbot
Issuing a certificate manually
Be careful, if you want a certificate for both the domain root (
domain.tld) and its subdomains (
*.domain.tld), both must be specified. With the
-d parameter, it is possible to list the desired domains and subdomains:
sudo letsencrypt certonly --manual --preferred-challenges dns --register -d domain.tld -d *.domain.tld
Let’s encrypt will now have to ask us to prove that we have control over the domain names requested. It will request the creation of a specific TXT record in the DNS zone of the domain name, which can be done from your registar:
---------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.domain.tld with the following value: c81US66r6JVk1LwyFHbzINQvIU_m5gJWXgcUm8Qj2 Before continuing, verify the record is deployed. ---------------------------------------------------- Press Enter to Continue
Two TXT records will be requested for the same domain, it is completely normal (for both
Once created, the certificate is located in
This certificate cannot be renewed automatically: it is necessary, as it approaches its expiration, to renew the step.
Automated request: example with OVH
Fortunately, there are plugins to
certbot allowing to automatically request certificates, which take care of modifying the DNS themselves to proceed with the validation. For example, under Debian, the following packages are provided:
# apt-cache search certbot-dns python3-certbot-dns-cloudflare python3-certbot-dns-digitalocean python3-certbot-dns-dnsimple python3-certbot-dns-gandi python3-certbot-dns-gehirn python3-certbot-dns-google python3-certbot-dns-linode python3-certbot-dns-ovh python3-certbot-dns-rfc2136 python3-certbot-dns-route53 python3-certbot-dns-sakuracloud
Depending on your registrar, you can find documentation on their API and how to set up renewal. I am an OVH customer:
sudo apt-get install python3-certbot-dns-ovh
Then we go on
https://eu.api.ovh.com/createToken/ to create a token in link with his account (be careful, we have to indicate his login of type
xx00000-ovh and not his email address) with the following rules:
GET /domain/zone/* PUT /domain/zone/* POST /domain/zone/* DELETE /domain/zone/*
We get the generated data to create the file:
#/root/.ovh.ini dns_ovh_endpoint = ovh-eu dns_ovh_application_key = dns_ovh_application_secret = dns_ovh_consumer_key =
We give it restricted rights, and then we can create a certificate:
sudo chmod 600 /root/.ovh.ini sudo certbot certonly --dns-ovh --dns-ovh-credentials /root/.ovh.ini -d "domain.tld" -d "*.domain.tld"