Use the manual plugin and DNS challenge in certbot to obtain a wildcard Let’s Encrypt TLS certificate.

Subdomains only. You can only use this wildcard certificate on subdomains (e.g., You cannot use it for the apex domain (e.g. Obtain a separate certificate for the apex domain.

$ certbot certonly --manual --preferred-challenges dns -d '*'

Create the TXT record as instructed by certbot. Before continuing, use dig
or Google’s Dig tool to confirm the records is applied.

$ dig txt

Wait until dig shows that the record is applied. You may want to refresh/re-run it a couple times to ensure the record is updated on a few different servers.

Once you’re confident the record update is applied, press Enter to continue the certbot process and continue following the instructions it provides.