Use the manual plugin and DNS challenge in
certbot to obtain a wildcard Let’s Encrypt TLS certificate.
Subdomains only. You can only use this wildcard certificate on subdomains (e.g.
mail.example.com). You cannot use it for the apex domain (e.g.
example.com). Obtain a separate certificate for the apex domain.
$ certbot certonly --manual --preferred-challenges dns -d '*.example.com'
Create the TXT record as instructed by
certbot. Before continuing, use
or Google’s Dig tool to confirm the records is applied.
$ dig txt _acme-challenge.example.com
dig shows that the record is applied. You may want to refresh/re-run it a couple times to ensure the record is updated on a few different servers.
Once you’re confident the record update is applied, press
Enter to continue the
certbot process and continue following the instructions it provides.