Obtain a wildcard Let's Encrypt certificate

Use the manual plugin and DNS challenge in certbot to obtain a wildcard Let’s Encrypt TLS certificate.

Subdomains only. You can only use this wildcard certificate on subdomains (e.g. www.example.com, mail.example.com). You cannot use it for the apex domain (e.g. example.com). Obtain a separate certificate for the apex domain.

$ certbot certonly --manual --preferred-challenges dns -d '*.example.com'

Create the TXT record as instructed by certbot. Before continuing, use dig
or Google’s Dig tool to confirm the records is applied.

$ dig txt _acme-challenge.example.com

Wait until dig shows that the record is applied. You may want to refresh/re-run it a couple times to ensure the record is updated on a few different servers.

Once you’re confident the record update is applied, press Enter to continue the certbot process and continue following the instructions it provides.