Free Wildcard SSL with Let's Encrypt + Certbot

Wildcard certificates (*.example.com) require a DNS-01 challenge because Let's Encrypt has to confirm you control the entire DNS zone, not just a single host.

Manual issuance (one-shot)

sudo apt update && sudo apt install -y certbot

sudo certbot certonly \
  --manual \
  --preferred-challenges dns \
  --agree-tos \
  --email you@example.com \
  -d "*.example.com" -d "example.com"

Certbot will print a TXT record. Add it to your DNS provider, wait for it to propagate, then press Enter to continue. Certificates land at /etc/letsencrypt/live/example.com/.

Automated renewal (DNS API plugin)

For unattended renewal you need a DNS plugin so Certbot can publish the TXT record itself. Pick the plugin that matches your DNS provider:

• certbot-dns-route53 - AWS Route 53
• certbot-dns-cloudflare - Cloudflare
• certbot-dns-google - Google Cloud DNS
• certbot-dns-digitalocean - DigitalOcean

# Cloudflare example
sudo apt install -y python3-certbot-dns-cloudflare

# /root/.secrets/cloudflare.ini   (chmod 600)
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
  -d "*.example.com" -d "example.com"

Renew on a schedule

# /etc/cron.d/certbot-renew
0 3 * * * root certbot renew --quiet --deploy-hook "systemctl reload nginx"

Note: certificates issued via the manual challenge can not be auto-renewed; you must use a DNS plugin for renewals to be hands-off.