Use the manual plugin and DNS challenge in certbot
to obtain a wildcard Let’s Encrypt TLS certificate.
Subdomains only. You can only use this wildcard certificate on subdomains (e.g. www.example.com
, mail.example.com
). You cannot use it for the apex domain (e.g. example.com
). Obtain a separate certificate for the apex domain.
$ certbot certonly --manual --preferred-challenges dns -d '*.example.com'
Create the TXT record as instructed by certbot
. Before continuing, use dig
or Google’s Dig tool to confirm the records is applied.
$ dig txt _acme-challenge.example.com
Wait until dig
shows that the record is applied. You may want to refresh/re-run it a couple times to ensure the record is updated on a few different servers.
Once you’re confident the record update is applied, press Enter
to continue the certbot
process and continue following the instructions it provides.