How to Generate Wildcard SSL Certificate using Let’s Encrypt/Certbot on CentOS#

Today I wanted to generate a wildcard SSL certificate for a service I was working on. Luckily, Let’s Encrypt’s ACME v2 production endpoint makes it so easy to generate wilcard certificates (for more details on this feature, see this post). Below are the steps I used to generate a wildcard certificate.


This article describes the process for Centos 7/8 but can also be used for other Linux distros (with small changes in step 1). Also, {subdomain} and {domain} are placeholders. Remember to replace them with your own values. For instance, {subdomain}-> mycloud, and {domain} ->

Step 1 — Installing the Certbot Let’s Encrypt Client#

$ sudo dfn install epel-release
$ sudo dfn install certbot


This step assumes that you are using CentOS 7/8.

Step 2 — Obtaining a Wildcard Certificate#

$ sudo certbot certonly -d *.{subdomain}.{domain} \
> --manual \
> --preferred-challenges dns \
> --server

The certbot prompts you for some personal information. Once everything is done, certbot provides a DNS TXT record to add to your DNS settings. At this point, head over to your DNS settings ( I was using google domains) and enter your TXT DNS record:



{subdomain} and {domain} are placeholders. Remember to replace them with your own values. For instance, {subdomain}-> mycloud, and {domain} ->

At this point,

  • Go back to your command line command (which should have been blocking after the DNS TXT record instructions).

  • Then Hit Enter.

Cerbot will retrieve your DNS records to verify that the entries are correct. If the verification is successful, you get following output:

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your certificate will expire on 2021-05-28. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Step 3 — Testing the Certificate and SSL Configuration#

At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.

Open your browser, and point it to the following link, replacing with your domain:

Voilà 🎉🎉🎉🎉!